Date: Tue, 28 Apr 2015 10:30:04 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: Logging TCP anomalies Message-ID: <20150428073004.GX1394@zxy.spb.ru> In-Reply-To: <44814.1430172763@server1.tristatelogic.com> References: <A83FB715-936E-4A43-AE2D-E76C32D0F7DE@mac.com> <44814.1430172763@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 27, 2015 at 03:12:43PM -0700, Ronald F. Guilmette wrote: > > In message <A83FB715-936E-4A43-AE2D-E76C32D0F7DE@mac.com>, > Charles Swiger <cswiger@mac.com> wrote: > > >On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrot > >e: > ... > >> and/or whether FreeBSD provides any options which, > >> for example, might automagically trigger a close of the relevant TCP > >> connection when and if such an event is detected. (Connection close > >> seems to me to be one possible mitigation strategy, even if it might > >> be viewed as rather ham-fisted by some.) > > > >You need to be able to distinguish normal dup packets > > Yes. > > As I understand it, (verbatim) duplicate packets can sometimes arrive at > an endpoint due simply to network anomalies. However as I understand it, > those will typically have identical lengths and payloads. If I read that > news article correctly, then the spoofed packets at issue will have the > same sequence numbers as legit ones, but different lengths and/or payloads. different lengths is legitime -- in case of sender resend-packets and reduce packet sizes (for example from differen interface with different MTU).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150428073004.GX1394>