From owner-freebsd-security Thu Nov 20 15:11:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA17469 for security-outgoing; Thu, 20 Nov 1997 15:11:48 -0800 (PST) (envelope-from owner-freebsd-security) Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA17460 for ; Thu, 20 Nov 1997 15:11:38 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from cyrus.watson.org (cyrus.pr.watson.org [192.0.2.4]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id SAA20637; Thu, 20 Nov 1997 18:11:17 -0500 (EST) Date: Thu, 20 Nov 1997 18:15:22 -0500 (EST) From: Robert Watson Reply-To: Robert Watson To: freebsd-security@freebsd.org, bugtraq@netspace.org Subject: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Adding a rule for the interface denying packets from oneself appears to defend against the new attack. This rule worked: 03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0 Where 128.2.91.57 is the host's IP address on device ed0. This presumably works on other versions of FreeBSD, and other systems with ipfw/ipfirewall installed on them. As always, if you are not familiar with ipfw and don't know how it works, don't use this unless you are on the console the first time! Adding this to rc.firewall on FreeBSD is also a good idea. Multi-homed hosts require one entry per device, needless to say. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/