Date: Fri, 21 Jan 2000 20:39:26 -0800 From: gdonl@tsc.tdk.com (Don Lewis) To: Matthew Dillon <dillon@apollo.backplane.com>, Giorgos Keramidas <charon@hades.hell.gr> Cc: Brett Glass <brett@lariat.org>, Warner Losh <imp@village.org>, Darren Reed <avalon@coombs.anu.edu.au>, security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <200001220439.UAA15676@salsa.gv.tsc.tdk.com> In-Reply-To: Matthew Dillon <dillon@apollo.backplane.com> "Re: stream.c worst-case kernel paths" (Jan 21, 7:59pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 21, 7:59pm, Matthew Dillon wrote: } Subject: Re: stream.c worst-case kernel paths } :So what needs to be done is: } : } :(a) drop all multicast packets that reach the tcp stack. } :(b) extend ICMP_BANDLIM to RST packets, and } :(c) avoid sending anything tcp to a multicast address } : } :Do I forget something here? } : } :-- Giorgos } } That's pretty much it. I've already sent a patch set to Warner for (b). } I don't think we should do (a) or (c) until after the release, multicast } isn't going to explode on us in the next 4 months. But that doesn't stop an attacker from sending forged TCP packets with forged multicast addresses. Spraying the local network with a multicast response to an incoming unicast seems like a bad idea. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001220439.UAA15676>