From owner-freebsd-security Thu Jan 27 9:57: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.13]) by hub.freebsd.org (Postfix) with ESMTP id A280F15704 for ; Thu, 27 Jan 2000 09:57:06 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id 5CA91151F3; Thu, 27 Jan 2000 12:56:56 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id 4CC5014A01; Thu, 27 Jan 2000 12:56:56 -0500 (EST) Date: Thu, 27 Jan 2000 12:56:56 -0500 (EST) From: Dug Song To: Michael Robinson Cc: freebsd-security@freebsd.org Subject: Re: opinions on source quench In-Reply-To: <200001271256.UAA28713@netrinsics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Jan 2000, Michael Robinson wrote: > What is the prevailing opinion on accepting ICMP source quench? > > Which is greater, the danger of a spoofed DoS attack, or the danger of > overloading some hapless downstream network node? to spoof ICMP source quenches correctly, an attacker must be able to sniff your packets to quote them in the forged reply. but if they can do this, they can just as easily forge correct TCP RSTs. see the tcpnice, tcpkill programs from dsniff for sample code: http://www.monkey.org/~dugsong/dsniff/ TCP has its own congestion control, and i don't know of any applications using UDP that honor source quenches. my guess is that it would probably be safe to filter them, but YMMV. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message