From owner-freebsd-security@FreeBSD.ORG  Tue Mar  2 05:43:44 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D7CBE16A4CE
	for <freebsd-security@freebsd.org>;
	Tue,  2 Mar 2004 05:43:44 -0800 (PST)
Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8123143D2F
	for <freebsd-security@freebsd.org>;
	Tue,  2 Mar 2004 05:43:43 -0800 (PST)	(envelope-from stb@lassitu.de)
Received: from [127.0.0.1] (schlepper [212.12.50.230])
	by schlepper.zs64.net (8.12.10/8.11.1) with ESMTP id i22DhepG081083;
	Tue, 2 Mar 2004 14:43:41 +0100 (CET)
	(envelope-from stb@lassitu.de)
In-Reply-To: <20040301113726.T17968@odysseus.silby.com>
References: <6.0.3.0.0.20040229182702.07a67a68@209.112.4.2>
	<20040301103615.GB97298@starjuice.net>
	<20040301113726.T17968@odysseus.silby.com>
Mime-Version: 1.0 (Apple Message framework v612)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <9CDEFA50-6C4F-11D8-9FC0-000393496BE8@lassitu.de>
Content-Transfer-Encoding: 7bit
From: Stefan Bethke <stb@lassitu.de>
Date: Tue, 2 Mar 2004 14:43:39 +0100
To: Mike Silbersack <silby@silby.com>
X-Mailer: Apple Mail (2.612)
cc: freebsd-security@freebsd.org
Subject: Re: mbuf vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2004 13:43:45 -0000

Am 01.03.2004 um 18:42 schrieb Mike Silbersack:
> A specially constructed stateful firewall could be constructed to deal
> with this DoS, but I'm certain that there's no way you could use ipf or
> anything preexisting to do the job.

OpenBSD's pf scrubbing should be helpful here. From the FAQ:
> The scrub directive also reassembles fragmented packets, protecting 
> some operating systems from some forms of attack.
<http://www.openbsd.org/faq/pf/scrub.html>

Our port is only for 5.0 or newer, though.

-- 
Stefan Bethke <stb@lassitu.de>   Fon +49 170 346 0140