Date: Mon, 27 Apr 2015 12:57:16 -0700 From: Charles Swiger <cswiger@mac.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: Logging TCP anomalies Message-ID: <A83FB715-936E-4A43-AE2D-E76C32D0F7DE@mac.com> In-Reply-To: <43372.1430159842@server1.tristatelogic.com> References: <43372.1430159842@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette = <rfg@tristatelogic.com> wrote: > I am prompted to ask here whether or not FreeBSD performs any sort of > logging of instances when "duplicate TCP packets but with different > payloads" occurs, Not normally. Such things can be visible in netstat -s output as = "completely duplicate packets", "packets with some dup. data", etc and maybe = enabling network debugging sysctls would give more visibility. They'd also = generate vast amounts of logging for normal network activity. > and/or whether FreeBSD provides any options which, > for example, might automagically trigger a close of the relevant TCP > connection when and if such an event is detected. (Connection close > seems to me to be one possible mitigation strategy, even if it might > be viewed as rather ham-fisted by some.) You need to be able to distinguish normal dup packets or dropping = connections will break normal traffic. For that matter, an attacker could try to = spoof legit connections and your countermeasure would presumably zap the legit connection. Use a firewall which tracks connection state, drops out-of-window = packets, forces fragmented packet reassembly to be performed, uses protocol-aware proxies to validate the content of traffic where possible. Regards, --=20 -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A83FB715-936E-4A43-AE2D-E76C32D0F7DE>