Date: Fri, 21 Jan 2000 15:26:08 +0300 From: Vladimir Dubrovin <vlad@sandy.ru> To: Dima Ruban <dima@rdy.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <12643.000121@sandy.ru> In-Reply-To: <200001210043.QAA57553@sivka.rdy.com> References: <200001210043.QAA57553@sivka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Dima Ruban, 21.01.2000 3:43, you wrote: bugtraq posts: stream.c - new FreeBSD exploit?; >> I can think of ways to filter this by adding some stuff to IPFW. D> I don't believe you can filter it. Sure you cann't detect invalid ACK packets with ipfw, but IMHO ipfw (then dummynet is used) can be used to eliminate any kind of flood attack with amount of small packets. Rules like ipfw pipe 10 config delay 50 queue 5 packets ipfw add pipe 10 tcp from any to MYHOST in via EXTERNAL should limit ipfw to allow only 5 tcp packets in 50 ms for MYHOST, more packets will be dropped. But I don't think it's best solution. +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12643.000121>