From owner-freebsd-net@FreeBSD.ORG Sun Apr 4 12:59:56 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E7A416A4CE for ; Sun, 4 Apr 2004 12:59:56 -0700 (PDT) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id A767A43D31 for ; Sun, 4 Apr 2004 12:59:55 -0700 (PDT) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.11/8.12.11) with ESMTP id i34Jxooq020668; Sun, 4 Apr 2004 15:59:50 -0400 (EDT) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.11/8.12.11/Submit) id i34JxovK020667; Sun, 4 Apr 2004 15:59:50 -0400 (EDT) (envelope-from barney) Date: Sun, 4 Apr 2004 15:59:50 -0400 From: Barney Wolff To: richard@wendland.org.uk Message-ID: <20040404195950.GA20607@pit.databus.com> References: <406B3CC0.C277B933@freebsd.org> <200404041938.UAA07933@starburst.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200404041938.UAA07933@starburst.demon.co.uk> User-Agent: Mutt/1.5.6i X-Scanned-By: MIMEDefang 2.39 cc: freebsd-net@freebsd.org Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 19:59:56 -0000 On Sun, Apr 04, 2004 at 08:38:31PM +0100, Richard Wendland wrote: > > It would be possible to improve matters somewhat by having per-protocol > limits. So for TCP, which with MSS and DF rarely fragments, there could > be low limits. But for UDP (eg for NFS) which frequently fragments, > there could be generous limits. > > So systems that only permit TCP and ICMP from non-trusted hosts could > in an indirect way limit external attack, without eg hampering local UDP. I'd prefer either per-interface limits or a trusted/non-trusted per-interface bit, if anything at all. Per-protocol limits would simply cause the attackers to attack the other protocol. In truth, running NFS over UDP with 65k packets over the Internet is suicidal anyway. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.