Date: Fri, 23 Apr 2004 18:32:06 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Don Lewis <truckman@FreeBSD.org> Cc: jayanth@yahoo-inc.com Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) Message-ID: <20040423182801.G5436@odysseus.silby.com> In-Reply-To: <200404231041.i3NAfR7E051507@gw.catspoiler.org> References: <200404231041.i3NAfR7E051507@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Apr 2004, Don Lewis wrote: > > What type of packet was causing the Alteons to emit the RST? SYN, FIN, > > normal data? > > > > Also, has Alteon fixed the problem or do their load balancers still > > exhibit the behavior? > > The link I posted showed it was a FIN, and after the RST was sent (and > ignored by the FreeBSD stack because of the strict sequence number > check), the Alteon (or whatever it was) did not respond to the > retransmissions of the FIN packet. > > Maybe we can get by with the strict check by default and add a sysctl to > revert to the permissive check. I think Darren's suggestion would be a reasonable compromise; use the strict check in the ESTABLISHED state, and the permissive check otherwise. Established connections are what would be attacked, so we need the security there, but the closing states are where oddities seem to pop up, so we can use the permissive check there. If this is acceptable, I'd like to get it committed this weekend so that we can still get it into 4.10. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423182801.G5436>