Date: Fri, 21 Jan 2000 19:53:07 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Brett Glass <brett@lariat.org> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Keith Stevenson <k.stevenson@louisville.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <200001220353.TAA66856@apollo.backplane.com> References: <4.2.2.20000120194543.019a8d50@localhost> <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com> <20000121162757.A7080@osaka.louisville.edu> <xzpk8l2lul4.fsf@flood.ping.uio.no> <4.2.2.20000121195112.0196a220@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
:...
:amplify the attack by triggering ICMP traffic.
:
:So, one might argue that RSTs could (and should!) be turned off a certain
:amount of time after a machine boots. After all, once it's past the
:time when they can reasonably used to kill old sessions, they're
:pretty much only going to be responses to attacks (see RFC 793). And
:they'll allow port probing.
:
:My preference as a sysadmin would therefore be to rate-limit during
:the "cleanup" period but ramp the limit down to zero thereafter.
:This might be the best of all worlds for those of us who don't want to
:be probed but want to be able to reboot gracefully -- which is what
:the protocol designers had in mind.
:
:--Brett
Brett, it's an interesting rationalization, but it's completely wrong.
If you think a moment you will find that there are plenty of RST situations
long after boot. Think of all those dialup connections where people
turn off their modems before disconnecting, for example. At BEST our
servers always had a large number of hanging connections from that
sort of situation. Now what happens when someone new gets that dynamic
dialup IP and connects back to the same server using the same port pair?
There are ftp port-pairs, there is the tendancy for machines to reuse
port numbers, there are all sorts of problems that RST helps with.
Believe me, RST's are useful. Rationalizing them away just isn't
going to work. You will wind up with some convoluted set of rules and
conditions when all you had to do in the first place was turn on
ICMP_BANDLIM.
As far as port probing goes: So what? Do you think preventing people
from identifying your machine will make it more secure? I got news for
you! Most machine compromises come from the inside-out, when your
users pick stupid passwords or login from a public library. I would
stop worrying about silly things like port probing and instead work on
more meaningful security measures. You will only twist yourself in
knots and screw up your system with convoluted options that go wayyy to
far.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001220353.TAA66856>