Date: Sat, 22 Jan 2000 04:46:38 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: Brett Glass <brett@lariat.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Warner Losh <imp@village.org>, Darren Reed <avalon@coombs.anu.edu.au>, security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <20000122044638.B27337@hades.hell.gr> In-Reply-To: <4.2.2.20000121163937.01a51dc0@localhost> References: <200001210417.PAA24853@cairo.anu.edu.au> <200001210642.XAA09108@harmony.village.org> <200001212321.PAA64674@apollo.backplane.com> <4.2.2.20000121163937.01a51dc0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 21, 2000 at 04:44:06PM -0700, Brett Glass wrote: > At 04:21 PM 1/21/2000 , Matthew Dillon wrote: > > > The ICMP_BANDLIM code does precisely this: It detects a potential attack > > and limits the response to it. The current ICMP_BANDLIM code is limited > > to two cases: > > > > (1) ICMP responses > > (2) TCP packets sent to bad ports > > > > It would take perhaps ten seconds to extend the mechanism to cover other > > TCP RST cases but the above two cases usually handle the vast majority of > > these sorts of attacks so if this exploit code is stopped cold by > > ICMP_BANDLIM, we're done. If it isn't then we spend a few seconds > > extending the cases covered by ICMP_BANDLIM and we are done. > > I'd certainly like to see this extended to RST. We can optimize socket > searching and prevent TCP from sending RSTs (or anything!) to multicast > addresses at the same time. (We probably also want to block RECEIVED TCP > packets from multicast addresses, as Wes suggests.) So what needs to be done is: (a) drop all multicast packets that reach the tcp stack. (b) extend ICMP_BANDLIM to RST packets, and (c) avoid sending anything tcp to a multicast address Do I forget something here? -- Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000122044638.B27337>