Date: Fri, 23 Apr 2004 22:00:05 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: silby@silby.com Cc: freebsd-security@FreeBSD.org Subject: Re: Proposed RST patch Message-ID: <200404240500.i3O5057E053032@gw.catspoiler.org> In-Reply-To: <20040423222922.F1915@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Apr, Mike Silbersack wrote:
>
> Here's my proposed patch to change RST handling so that ESTABLISHED
> connections are subject to strict RST checking, but connections in other
> states are only subject to the "within the window" check. Part 2 of the
> patch is simply a patch to netstat so that it displays the statistic.
>
> As expected, it's very straightforward, the only real question is what to
> call the statistic... "Ignored RSTs in the window" isn't the best
> description.
>
> FWIW, I've been testing with the exploit code
> (reset-tcp-rfc31337-compliant.c from osvdb-4030-exploit.zip), and this
> change does indeed defeat the attack. It took me a while to get the code
> working, they really munged up the libnet calls, but I guess that was the
> intent.
> + if (tp->last_ack_sent != th->th_seq) {
I'd reverse the operand order here to match the operand order of the
enclosing "if" block. Other than that tiny nit, this looks fine.
What is our status with regards to the spoofed SYN version of the
attack?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404240500.i3O5057E053032>