Date: Tue, 16 Sep 2014 07:35:26 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Message-ID: <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> In-Reply-To: <54180EBF.2050104@pyro.eu.org> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote: > Hi, > > On 16/09/14 11:14, FreeBSD Security Advisories wrote: > > An attacker who has the ability to spoof IP traffic can tear down a > > TCP connection by sending only 2 packets, if they know both TCP port > > numbers. > > This may be a silly question but, if the attacker can spoof IP traffic, > can't the same be done with a single RST packet? > Yes, this is how Sandvine anti-piracy products work. They detect you torrenting/P2P and then send an RST spoofed from the other end. You can defeat this by dropping RST altogether, which is what many people do. It's better if they don't blindly block all RST, and only to the ports they use for P2P... I'm torn on calling this an actual security problem. It's certainly a bug -- defeated by a stateful firewall, as detailed in the SA -- but if someone can spoof the traffic... you've a problem at a different layer :-) (Warning: I'm not a security expert.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1410870926.3637266.168084441.4C997218>