From owner-freebsd-security  Fri Jan 21  6:14:32 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id BDFDB1542C
	for <freebsd-security@FreeBSD.ORG>; Fri, 21 Jan 2000 06:14:27 -0800 (PST)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id BAA12691;
	Sat, 22 Jan 2000 01:14:25 +1100 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200001211414.BAA12691@cairo.anu.edu.au>
Subject: Re: Re[2]: bugtraq posts:  stream.c - new FreeBSD exploit?
To: vlad@sandy.ru
Date: Sat, 22 Jan 2000 01:14:25 +1100 (Australia/NSW)
Cc: dima@rdy.com (Dima Ruban), freebsd-security@FreeBSD.ORG
In-Reply-To: <12643.000121@sandy.ru> from "Vladimir Dubrovin" at Jan 21, 2000 03:26:08 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Vladimir Dubrovin, sie said:
> 
> Hello Dima Ruban,
> 
> 21.01.2000 3:43, you wrote: bugtraq posts:  stream.c - new FreeBSD exploit?;
> 
> >> I can think of ways to filter this by adding some stuff to IPFW.
> 
> D> I don't believe you can filter it.
> 
> Sure  you  cann't  detect invalid ACK packets with ipfw, but IMHO ipfw
> (then  dummynet  is  used)  can be used to eliminate any kind of flood
> attack with amount of small packets. Rules like
> 
> ipfw pipe 10 config delay 50 queue 5 packets
> ipfw add pipe 10 tcp from any to MYHOST in via EXTERNAL
> 
> should  limit  ipfw  to  allow only 5 tcp packets in 50 ms for MYHOST,
> more packets will be dropped. But I don't think it's best solution.

Given the exploit assigns a random source address to every packet, no.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message