Date: Sun, 4 Apr 2004 15:59:50 -0400 From: Barney Wolff <barney@databus.com> To: richard@wendland.org.uk Cc: freebsd-net@freebsd.org Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] Message-ID: <20040404195950.GA20607@pit.databus.com> In-Reply-To: <200404041938.UAA07933@starburst.demon.co.uk> References: <406B3CC0.C277B933@freebsd.org> <200404041938.UAA07933@starburst.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 04, 2004 at 08:38:31PM +0100, Richard Wendland wrote: > > It would be possible to improve matters somewhat by having per-protocol > limits. So for TCP, which with MSS and DF rarely fragments, there could > be low limits. But for UDP (eg for NFS) which frequently fragments, > there could be generous limits. > > So systems that only permit TCP and ICMP from non-trusted hosts could > in an indirect way limit external attack, without eg hampering local UDP. I'd prefer either per-interface limits or a trusted/non-trusted per-interface bit, if anything at all. Per-protocol limits would simply cause the attackers to attack the other protocol. In truth, running NFS over UDP with 65k packets over the Internet is suicidal anyway. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040404195950.GA20607>