From owner-freebsd-security  Fri Jan 21 21:16:13 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.servercom.com (mail.servercom.com [198.76.116.6])
	by hub.freebsd.org (Postfix) with ESMTP id 9899B14E35
	for <freebsd-security@FreeBSD.ORG>; Fri, 21 Jan 2000 21:15:54 -0800 (PST)
	(envelope-from yardley@uiuc.edu)
Received: from liquid (wake-gw.wakeland.servercom.com [198.88.186.1])
          by mail.servercom.com (Post.Office MTA v3.5.3 release 223
          ID# 0-57662U1200L100S0V35) with ESMTP id com;
          Fri, 21 Jan 2000 23:09:05 -0600
Message-Id: <4.2.0.58.20000121230937.0128e4a8@students.uiuc.edu>
X-Sender: yardley@students.uiuc.edu
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Fri, 21 Jan 2000 23:11:25 -0600
To: keramida@ceid.upatras.gr
From: Tim Yardley <yardley@uiuc.edu>
Subject: Re: explanation and code for stream.c issues
Cc: Vladimir Dubrovin <vlad@sandy.ru>, freebsd-security@FreeBSD.ORG
In-Reply-To: <20000122050656.B27571@hades.hell.gr>
References: <4.2.0.58.20000121131202.0135ef10@students.uiuc.edu>
 <4.2.0.58.20000121112253.012a8f10@students.uiuc.edu>
 <4.2.0.58.20000121112253.012a8f10@students.uiuc.edu>
 <8920.000121@sandy.ru>
 <4.2.0.58.20000121131202.0135ef10@students.uiuc.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 09:06 PM 1/21/2000, Giorgos Keramidas wrote:
>On Fri, Jan 21, 2000 at 01:15:27PM -0600, Tim Yardley wrote:
> >
> > As was mentioned in the "advisory/explanation" on the issue, ipfw cannot
> > deal with the problem due to the fact that it is stateless.
> >
> > The attack comes from random ip addresses, therefore throttling like that
> > only hurts your connection or solves nothing at all.  In other words, the
> > random sourcing and method of the attack, makes a non-stateless firewall
> > useless.
>
>Substitute 'stateless' for 'non-stateless' above.  A stateless firewall, like
>IPFW is the type of firewall that is useless.

Umm.. that is exactly what I said.  a state based firewall is called 
stateful and a non-state based firewall is called stateless.  IPFW is 
stateless, meaning that it cannot handle packets in a STATE based syntax 
(ie it cannot decipher whether or not a connection has already been started 
with those specs).

/tmy


-- Diving into infinity my consciousness expands in inverse
    proportion to my distance from singularity

+--------  -------  ------  -----  ---- --- -- ------ --------+
|  Tim Yardley (yardley@uiuc.edu)	
|  http://www.students.uiuc.edu/~yardley/
+--------  -------  ------  -----  ---- --- -- ------ --------+




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message