From owner-freebsd-security  Fri Jan 21 21:55: 5 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 52D9C155E0
	for <freebsd-security@FreeBSD.ORG>; Fri, 21 Jan 2000 21:55:02 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA29753;
	Fri, 21 Jan 2000 22:54:50 -0700 (MST)
Message-Id: <4.2.2.20000121224236.019bb940@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Fri, 21 Jan 2000 22:54:49 -0700
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	Matthew Dillon <dillon@apollo.backplane.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Some observations on stream.c and streamnt.c
Cc: Keith Stevenson <k.stevenson@louisville.edu>,
	freebsd-security@FreeBSD.ORG
In-Reply-To: <xzpg0vqllcg.fsf@flood.ping.uio.no>
References: <Matthew Dillon's message of "Fri, 21 Jan 2000 18:45:07 -0800 (PST)">
 <4.2.2.20000120194543.019a8d50@localhost>
 <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com>
 <20000121162757.A7080@osaka.louisville.edu>
 <xzpk8l2lul4.fsf@flood.ping.uio.no>
 <200001220245.SAA66403@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:35 PM 1/21/2000 , Dag-Erling Smorgrav wrote:

>1) don't teach me how TCP_RESTRICT_RST works. I wrote it.
>
>2) it's not meant for protecting against attacks.
>
>You can figure the rest out for yourself.

Well, here's what I plan to do. Matt is implementing a 
rate-limiting feature for RST packets, which is fine
by me. I can understand his hesitancy to deviate
from protocol.

However, shortly after the system starts up (and
uses RSTs to kill any old sessions that might be 
lingering from before the reboot), I personally want 
to stop sending RSTs. This will make me more resistant 
to some DoS attacks and probes except for a very
short window of opportunity.

So, I'll build my kernel with TCP_RESTRICT_RST but
leave it off in rc.conf. At boot time, I'll use "at" to 
issue the command

sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null

with a time delay of maybe a minute. A cracker would
have to probe me 24x7 for a very long time to find
even one such minute, and even then couldn't do much
more than a better probe.

Now, all that's left to do is handle the multicast
stuff and perhaps shorten a few paths in tcp_input.c.
To whom do patches go? Warner?

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message