From owner-freebsd-security@freebsd.org Thu Jul 23 19:30:33 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D51C99A9E5B for ; Thu, 23 Jul 2015 19:30:33 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C0CAF1AF0 for ; Thu, 23 Jul 2015 19:30:33 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 653181CBA8; Thu, 23 Jul 2015 12:30:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1437679833; x=1437694233; bh=j8u99kouwl688fe5OLm5O1iNuneUnUi7rwuQZpW/Crc=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=x+CFpue79DmZRYn/xU+OVv2N6A8cv3QQxAphK3YyvEseRatzMkdOPQkJF6UoFdTn6 Z+37MizkC8sz021LdGXaewbGMfenlKvbqNK3KklskDzm8eoG0QyRnyyi6dGk+V5cIH JNiOpiQJQLC3erYlLMW0O1p+XRdSMFgDUEwSlCFQ= Message-ID: <55B140D9.5080507@delphij.net> Date: Thu, 23 Jul 2015 12:30:33 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: gabor@zahemszky.hu, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:13.tcp References: <20150722025746.721831C32@freefall.freebsd.org> <9acb8bbfb059c3e8d08ba20a41441714@zahemszky.hu> In-Reply-To: <9acb8bbfb059c3e8d08ba20a41441714@zahemszky.hu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2015 19:30:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 07/21/15 23:52, gabor@zahemszky.hu wrote: >> IV. Workaround >> >> No workaround is available, but systems that do not provide TCP >> based service to untrusted networks are not vulnerable. >> >> Note that the tcpdrop(8) utility can be used to purge connections >> which have become wedged. For example, the following command can >> be used to generate commands that would drop all connections >> whose last rcvtime is more than 100s: >> >> netstat -nxp tcp | \ awk '{ if (int($NF) > 100) print "tcpdrop " >> $4 " " $5 }' >> >> The system administrator can then run the generated script as a >> temporary measure. Please refer to the tcpdump(8) manual page >> for additional information. > > It should be tcpdrop(8), isn't it? Yes it should be tcpdrop(8). Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVsUDZAAoJEJW2GBstM+nsvZ0P/22S7IgSHZg27gNEo1hVuSN/ GuiEoCShz2VU2c2Wk/vAo3kNvXoWsmz30fKGL5Cu8hi24w8JsHdOwzdB3JI98uu+ srw+8mjxeaumw8/P/w+D2D0w0qh2v4252KhUK9zDvkRAoWsaijgDXh2EEJoaxHCe zo7OVHfL37PG2zSAmY/whMOcQ07Tjv0SepgctKe8rt5YH66Bh2c7zkiJ0Z2wbfmC B/OvgPhiWqK522cJnTQ/FLjZNCOJ+G6jg0Z5nVBOI7L1uN5z7CyOtZ5MNLMx4fza IlaWmbAexIH/q8n37Y2pVfQvT6WyWXhSxv1reyDC2xYixzxFlFUIFQIen5jd7tVN xmYHR9SRaMPVHk5SY7OYfJUlsum4zgwiHjJv9N76tjUMPkmCBEr1fTxerU2mJ2G6 OLqvnK/VVLgebYsBj3NoTrgcKH8L4oz+W/IsPu5SF/shv7hxqAniXp3NX895j97n BzW9r75yT+Iy61VloOq/ZD9QNA379d6+kGHq96lg/qmsG7WImpxum+HtMSjtuBjJ ZP2EK4YZ1usKxjCLt6XIzH2ao1QJ8/64WmAi7tebn4O9rmBwV16wCpxEssEYU1HI l+c9CSlJfoTVkN35ka79x9BgnwpVzAy9iAscDj/yWv2iNrhjUMO6ffA6Q2CGEqxQ MT4h6biU/KXH4Reh1n8F =ZIpa -----END PGP SIGNATURE-----