OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)

From: jayanth (jayanthyahoo-inc.com)
Date: Fri Apr 23 2004 - 18:19:36 CDT


Mike Silbersack (silbysilby.com) wrote:
>
> On Fri, 23 Apr 2004, Don Lewis wrote:
>
> > > What type of packet was causing the Alteons to emit the RST? SYN, FIN,
> > > normal data?
> > >
> > > Also, has Alteon fixed the problem or do their load balancers still
> > > exhibit the behavior?
> >
> > The link I posted showed it was a FIN, and after the RST was sent (and
> > ignored by the FreeBSD stack because of the strict sequence number
> > check), the Alteon (or whatever it was) did not respond to the
> > retransmissions of the FIN packet.
> >
> > Maybe we can get by with the strict check by default and add a sysctl to
> > revert to the permissive check.
>
> I think Darren's suggestion would be a reasonable compromise; use the
> strict check in the ESTABLISHED state, and the permissive check otherwise.
> Established connections are what would be attacked, so we need the
> security there, but the closing states are where oddities seem to pop up,
> so we can use the permissive check there.
>
> If this is acceptable, I'd like to get it committed this weekend so that
> we can still get it into 4.10.
>

sure, that sounds reasonable. The sysctl should be good for yahoo.

thanks,
jayanth
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"