From owner-freebsd-security Fri Jan 21 9:37:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 0BB9C15513 for ; Fri, 21 Jan 2000 09:37:03 -0800 (PST) (envelope-from brett@lariat.org) Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA21042; Fri, 21 Jan 2000 10:36:42 -0700 (MST) Message-Id: <4.2.2.20000121102114.01a2dc10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jan 2000 10:36:39 -0700 To: TrouBle , Darren Reed From: Brett Glass Subject: Re: stream.c worst-case kernel paths Cc: oogali@intranova.net (Omachonu Ogali), security@FreeBSD.ORG In-Reply-To: <20000121.16082400@bastille.netquick.net> References: <200001211415.BAA12772@cairo.anu.edu.au> <200001211415.BAA12772@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:08 AM 1/21/2000 , TrouBle wrote: >So can i get a straight answer, is there yet a patch to fix this >problem under current ?? does it affect current ??? Under CURRENT, the absolute fastest fix is to set tcp_restrict_rst. This ought to hold you until you firewall and/or until there's a patch. You will still see some loading as the kernel does extra work to process the bogus packets; I've made some suggestions for patches that should help this a bit. [Note: some recent postings have pointed out problems with restricting RSTs. They're right; there are some. But that's less important than keeping your systems alive if you're under attack.] Another more general to use IPFilter (not IPFW!) with the rules Darren mentioned earlier: block in quick proto tcp from any to any head 100 pass in quick proto tcp from any to any flags S keep state group 100 pass in all If you use this on your router, it'll protect downstream machines. And it works on all of the BSDs, Solaris, *and* Linux, so it's a more far-reaching fix too. >and 3.3 I don't think 3.3 has tcp_restrict_rst (Guys, correct me here if I'm mistaken), so you'll need to use IPFilter. > and 3.4 ????? 3.4 has tcp_restrict_rst. You can set it in rc.conf. >also is there a way to test the vulnerability is gone after patching >??? I'm sure that stream.c is being sent out on the kiddie IRC channels. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message