From owner-freebsd-security Fri Jan 21 16:35:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 88C39156A8 for ; Fri, 21 Jan 2000 16:35:46 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id QAA65392; Fri, 21 Jan 2000 16:35:44 -0800 (PST) (envelope-from dillon) Date: Fri, 21 Jan 2000 16:35:44 -0800 (PST) From: Matthew Dillon Message-Id: <200001220035.QAA65392@apollo.backplane.com> To: Brett Glass Cc: Warner Losh , Darren Reed , security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths References: <200001210417.PAA24853@cairo.anu.edu.au> <200001210642.XAA09108@harmony.village.org> <4.2.2.20000121163937.01a51dc0@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> RST cases but the above two cases usually handle the vast majority of :> these sorts of attacks so if this exploit code is stopped cold by ICMP_BANDLIM, :> we're done. If it isn't then we spend a few seconds extending the cases :> covered by ICMP_BANDLIM and we are done. : :I'd certainly like to see this extended to RST. We can optimize socket searching :and prevent TCP from sending RSTs (or anything!) to multicast addresses at the :same time. (We probably also want to block RECEIVED TCP packets from multicast :addresses, as Wes suggests.) : :--Brett I wouldn't worry about multicast addresses for several reasons. First, very few machines actually run a multicast router. No router, no problem. Second, multicast tunnels tend to be bandwidth limited anyway. Third, from the point of view of victimizing someone multicast isn't going to get you very far because we already check for a multicast destination. We don't really need to check for a multicast source because it's really no different from a victimizing point of view as a non-multicast source address. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message