Date: Fri, 21 Jan 2000 11:21:15 -0800 (PST) From: dima@rdy.com (Dima Ruban) To: Vladimir Dubrovin <vlad@sandy.ru> Cc: Dima Ruban <dima@rdy.com>, freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <200001211921.LAA04129@sivka.rdy.com> In-Reply-To: <12643.000121@sandy.ru> from Vladimir Dubrovin at "Jan 21, 2000 03:26:08 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Vladimir Dubrovin writes: > Sure you cann't detect invalid ACK packets with ipfw, but IMHO ipfw > (then dummynet is used) can be used to eliminate any kind of flood > attack with amount of small packets. Rules like > > ipfw pipe 10 config delay 50 queue 5 packets > ipfw add pipe 10 tcp from any to MYHOST in via EXTERNAL > > should limit ipfw to allow only 5 tcp packets in 50 ms for MYHOST, > more packets will be dropped. But I don't think it's best solution. They use random source address. > > > +=-=-=-=-=-=-=-=-=+ > |Vladimir Dubrovin| > | Sandy Info, ISP | > +=-=-=-=-=-=-=-=-=+ > > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001211921.LAA04129>