From owner-freebsd-security Fri Jan 21 11: 8:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id A51D91527D for ; Fri, 21 Jan 2000 11:08:40 -0800 (PST) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id WAA62110; Fri, 21 Jan 2000 22:04:48 +0300 (MSK) Date: Fri, 21 Jan 2000 22:04:53 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.36) S/N D33CD428 Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <8920.000121@sandy.ru> To: Tim Yardley Cc: news@technotronic.com, bugtraq@securityfocus.com, freebsd-security@FreeBSD.org Subject: Re: explanation and code for stream.c issues In-reply-To: <4.2.0.58.20000121112253.012a8f10@students.uiuc.edu> References: <4.2.0.58.20000121112253.012a8f10@students.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Tim Yardley, 21.01.00 20:25, you wrote: explanation and code for stream.c issues; T> -- start rule set -- T> block in quick proto tcp from any to any head 100 T> pass in quick proto tcp from any to any flags S keep state group 100 T> pass in all T> -- end rule set -- Attack can be easily changed to send pair SYN and invalid SYN/ACK packets before spoofing some port. I guess in this case your ruleset will be useless. But i belive it's possible to limit the number of TCP packets send to some host with ipfw: ipfw pipe 10 config delay 50 queue 5 packets ipfw add pipe 10 tcp from any to $MYHOST in via $EXTERNAL I have not tested this rule but i guess with appropriate delay and queue it will stop any TCP spoofing. +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message