OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: explanation and code for stream.c issues

Re: explanation and code for stream.c issues


Subject: Re: explanation and code for stream.c issues
From: Brett Glass (brettLARIAT.ORG)
Date: Fri Jan 21 2000 - 14:43:43 CST


Tim:

Good summary!

You might want to add that, under FreeBSD 3.4 and FreeBSD-Current,
you can also turn on tcp_restrict_rst and it will help some (not
an ideal fix, but it's something that can be done quickly.
You will most likely have to recompile the kernel
with the TCP_RESTRICT_RST option first, because it is not there
by default. The kernel still spends more time than it should
figuring out that the ACK is bogus, but at least once it does,
it drops it cold. It does not try to send a RST (which, in turn,
may generate an ICMP "unreachable" message from the router since
the source address is spoofed). This ought to prevent the system
from doing more than slowing down a bit if it's attacked.

Folks who need to rewrite their firewall rules to move from IPFW
to IPFilter can do this while they're working on the conversion.

To turn on tcp_restrict_rst, recompile your kernel with the
option TCP_RESTRICT_RST and then turn on tcp_restrict_rst in
rc.conf.

--Brett



This archive was generated by hypermail 2b27 : Sun Jan 23 2000 - 18:53:41 CST