From owner-freebsd-security@FreeBSD.ORG  Fri Apr 23 23:15:06 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 78C8516A4CF
	for <freebsd-security@FreeBSD.org>;
	Fri, 23 Apr 2004 23:15:06 -0700 (PDT)
Received: from relay.pair.com (relay.pair.com [209.68.1.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id E141F43D3F
	for <freebsd-security@FreeBSD.org>;
	Fri, 23 Apr 2004 23:15:05 -0700 (PDT)	(envelope-from silby@silby.com)
Received: (qmail 2687 invoked from network); 24 Apr 2004 06:15:04 -0000
Received: from niwun.pair.com (HELO localhost) (209.68.2.70)
  by relay.pair.com with SMTP; 24 Apr 2004 06:15:04 -0000
X-pair-Authenticated: 209.68.2.70
Date: Sat, 24 Apr 2004 01:22:04 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Don Lewis <truckman@FreeBSD.org>
In-Reply-To: <200404240500.i3O5057E053032@gw.catspoiler.org>
Message-ID: <20040424011603.F1915@odysseus.silby.com>
References: <200404240500.i3O5057E053032@gw.catspoiler.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@FreeBSD.org
Subject: Re: Proposed RST patch
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2004 06:15:06 -0000



On Fri, 23 Apr 2004, Don Lewis wrote:

> > +				if (tp->last_ack_sent != th->th_seq) {
>
> I'd reverse the operand order here to match the operand order of the
> enclosing "if" block.  Other than that tiny nit, this looks fine.

Ok, I can do that.  I also plan to update the comments above.

> What is our status with regards to the spoofed SYN version of the
> attack?

I haven't checked yet.  I just finished up modifying the exploit so that
it uses icmp unreachables rather than TCP RSTs.  In addition to being a
good less in libnet, it helped prove that FreeBSD is already good wrt
unreach packets (due to work by jlemon and jayanth, IIRC), although I did
not test any other operating systems...  (Perhaps the draft should have
mentioned icmp unreach packets given that they may be handled similarly to
RSTs.)

SYNs are next on the list.

Mike "Silby" Silbersack