From owner-cvs-all Thu Jan 27 22:13:14 2000 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id A209B14FDB; Thu, 27 Jan 2000 22:13:11 -0800 (PST) (envelope-from imp@FreeBSD.org) Received: (from imp@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA31303; Thu, 27 Jan 2000 22:13:11 -0800 (PST) (envelope-from imp@FreeBSD.org) Message-Id: <200001280613.WAA31303@freefall.freebsd.org> From: Warner Losh Date: Thu, 27 Jan 2000 22:13:10 -0800 (PST) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/alpha/conf GENERIC src/sys/i386/conf GENERIC src/sys/netinet ip_icmp.c tcp_input.c Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk imp 2000/01/27 22:13:10 PST Modified files: sys/alpha/conf GENERIC sys/i386/conf GENERIC sys/netinet ip_icmp.c tcp_input.c Log: Mitigate the stream.c attacks o Drop all broadcast and multicast source addresses in tcp_input. o Enable ICMP_BANDLIM in GENERIC. o Change default to 200/s from 100/s. This will still stop the attack, but is conservative enough to do this close to code freeze. This is not the optimal patch for the problem, but is likely the least intrusive patch that can be made for this. Obtained from: Don Lewis and Matt Dillon. Reviewed by: freebsd-security Revision Changes Path 1.67 +2 -1 src/sys/alpha/conf/GENERIC 1.238 +2 -1 src/sys/i386/conf/GENERIC 1.39 +2 -2 src/sys/netinet/ip_icmp.c 1.105 +33 -17 src/sys/netinet/tcp_input.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message