Re: TCP vulnerability

From: Alan Evans (evans.alan_at_sbcglobal.net)
Date: 04/24/04

  • Next message: Andre Oppermann: "Re: TCP vulnerability" 
    Date: Sat, 24 Apr 2004 08:43:28 -0700 (PDT)
To: Andre Oppermann <andre@freebsd.org>, Chuck Swiger <cswiger@mac.com>

    I agree, but what's most important is to maintain
    backward compatibility. If one breaks it, it's a DoS
    is some sense. I also saw some postings on NetBSD
    which does ratelimiting of ACKs (in response to SYNs),
    and ACKs RST. IMHO, the latter is bogus - why ACK a
    RST? And, the former may impose an artificial limit
    of some sort.

    Alan Evans

    --- Andre Oppermann <andre@freebsd.org> wrote:
    > Chuck Swiger wrote:
    > >
    > > Alan Evans wrote:
    > > > I'm sure FreeBSD is vulnerable.
    > > >
    > > >
    > http://www.us-cert.gov/cas/techalerts/TA04-111A.html
    > > >
    > > > There's a draft that (sort of) addresses this.
    > Should
    > > > we adopt it?
    > >
    > > This issue is being discussed on freebsd-security
    > now, and Mike Silbersack
    > > <silby@silby.com> has some patches available for
    > review and testing.
    >
    > There has been an additional problem in some BSD
    > stacks with RST's
    > which has been fixed in FreeBSD about six years ago.
    > The remaining
    > things which are addressed in that paper are
    > hardening measures to
    > reduce the chances of a brute force blind attack.
    > There *no* vulner-
    > ablility in the sense of "send packet x" and
    > everything breaks.
    >
    > --
    > Andre
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Andre Oppermann: "Re: TCP vulnerability"