From owner-freebsd-security@FreeBSD.ORG  Tue Apr 28 07:30:15 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 120DC709
 for <freebsd-security@freebsd.org>; Tue, 28 Apr 2015 07:30:15 +0000 (UTC)
Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BC35B1162
 for <freebsd-security@freebsd.org>; Tue, 28 Apr 2015 07:30:14 +0000 (UTC)
Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD))
 (envelope-from <slw@zxy.spb.ru>)
 id 1Ymzy0-000P00-84; Tue, 28 Apr 2015 10:30:04 +0300
Date: Tue, 28 Apr 2015 10:30:04 +0300
From: Slawa Olhovchenkov <slw@zxy.spb.ru>
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Logging TCP anomalies
Message-ID: <20150428073004.GX1394@zxy.spb.ru>
References: <A83FB715-936E-4A43-AE2D-E76C32D0F7DE@mac.com>
 <44814.1430172763@server1.tristatelogic.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44814.1430172763@server1.tristatelogic.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: slw@zxy.spb.ru
X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 07:30:15 -0000

On Mon, Apr 27, 2015 at 03:12:43PM -0700, Ronald F. Guilmette wrote:

> 
> In message <A83FB715-936E-4A43-AE2D-E76C32D0F7DE@mac.com>, 
> Charles Swiger <cswiger@mac.com> wrote:
> 
> >On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrot
> >e:
> ...
> >> and/or whether FreeBSD provides any options which,
> >> for example, might automagically trigger a close of the relevant TCP
> >> connection when and if such an event is detected.  (Connection close
> >> seems to me to be one possible mitigation strategy, even if it might
> >> be viewed as rather ham-fisted by some.)
> >
> >You need to be able to distinguish normal dup packets
> 
> Yes.
> 
> As I understand it, (verbatim) duplicate packets can sometimes arrive at
> an endpoint due simply to network anomalies.  However as I understand it,
> those will typically have identical lengths and payloads.  If I read that
> news article correctly, then the spoofed packets at issue will have the
> same sequence numbers as legit ones, but different lengths and/or payloads.

different lengths is legitime -- in case of sender resend-packets and
reduce packet sizes (for example from differen interface with
different MTU).