OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Other possible protection against RST/SYN attacks (was Re: TCP RST attack

From: Mike Tancsa (mikesentex.net)
Date: Wed Apr 21 2004 - 11:30:40 CDT


One other technique that might help with respect to this attack is what
Cisco implemented, commonly known as the "TTL hack"

http://www.nanog.org/mtg-0302/hack.html

I have not tried it yet, and I am not sure of the implications. But on bgp
speaking hosts, what if the following were done.

Assuming these are directly connected peers,

sysctl -w net.inet.ip.ttl=255

ipfw add 500 allow tcp from any to me 179 ipttl 255
ipfw add 600 deny log tcp from any to me 179

You would also need to cover the source ports. Not sure what the cleanest
looking rule for that would be.

What nasty side effects would this cause ? If the attacker were on the
same subnet this would not do anything, but you have larger problems if
this is the case.

         ---Mike

At 07:10 AM 21/04/2004, Jacques A. Vidrine wrote:
>On Tue, Apr 20, 2004 at 01:32:40PM -0700, Dragos Ruiu wrote:
> > Also keep in mind ports are predictable to varying degrees depending on
> > the vendor or OS, which further reduces the brute force space you have to
> > go though without sniffing.
>
>This is exactly why I ported OpenBSD's TCP ephemeral port allocation
>randomization to FreeBSD-CURRENT (although I asked Mike Silby to commit
>it for me and take the blame if it broke :-). It will also be MFC'd
>shortly in time for 4.10-RELEASE.
>
>Cheers,
>--
>Jacques Vidrine / nectarcelabo.org / jvidrineverio.net / nectarfreebsd.org

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"