Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 22 Jan 2000 04:46:38 +0200
From:      Giorgos Keramidas <charon@hades.hell.gr>
To:        Brett Glass <brett@lariat.org>
Cc:        Matthew Dillon <dillon@apollo.backplane.com>, Warner Losh <imp@village.org>, Darren Reed <avalon@coombs.anu.edu.au>, security@FreeBSD.ORG
Subject:   Re: stream.c worst-case kernel paths
Message-ID:  <20000122044638.B27337@hades.hell.gr>
In-Reply-To: <4.2.2.20000121163937.01a51dc0@localhost>
References:  <200001210417.PAA24853@cairo.anu.edu.au> <200001210642.XAA09108@harmony.village.org> <200001212321.PAA64674@apollo.backplane.com> <4.2.2.20000121163937.01a51dc0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jan 21, 2000 at 04:44:06PM -0700, Brett Glass wrote:
> At 04:21 PM 1/21/2000 , Matthew Dillon wrote:
> 
> > The ICMP_BANDLIM code does precisely this:  It detects a potential attack
> > and limits the response to it.  The current ICMP_BANDLIM code is limited
> > to two cases:
> >
> >   (1) ICMP responses
> >   (2) TCP packets sent to bad ports
> >
> > It would take perhaps ten seconds to extend the mechanism to cover other
> > TCP RST cases but the above two cases usually handle the vast majority of
> > these sorts of attacks so if this exploit code is stopped cold by
> > ICMP_BANDLIM, we're done.  If it isn't then we spend a few seconds
> > extending the cases covered by ICMP_BANDLIM and we are done.
> 
> I'd certainly like to see this extended to RST. We can optimize socket
> searching and prevent TCP from sending RSTs (or anything!) to multicast
> addresses at the same time. (We probably also want to block RECEIVED TCP
> packets from multicast addresses, as Wes suggests.)

So what needs to be done is:

(a) drop all multicast packets that reach the tcp stack.
(b) extend ICMP_BANDLIM to RST packets, and
(c) avoid sending anything tcp to a multicast address

Do I forget something here?

-- Giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000122044638.B27337>