Date: Fri, 21 Jan 2000 21:52:58 -0700 From: Warner Losh <imp@village.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <200001220452.VAA17629@harmony.village.org> In-Reply-To: Your message of "Fri, 21 Jan 2000 21:26:39 MST." <4.2.2.20000121210443.01981600@localhost> References: <4.2.2.20000121210443.01981600@localhost> <4.2.2.20000120194543.019a8d50@localhost> <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com> <20000121162757.A7080@osaka.louisville.edu> <xzpk8l2lul4.fsf@flood.ping.uio.no> <4.2.2.20000121195112.0196a220@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <4.2.2.20000121210443.01981600@localhost> Brett Glass writes: : during the call. When the user hangs up, your PPP software might want to : send a bunch of RSTs to shut down the caller's sessions (if it's been : tracking them). Or just do what a router does, and flag the machine : as down. I'm afraid I don't understand this. If the user disconnects, how can you send him RSTs? There's no connection. W/o ppp keeping state information, it can't send them to the other end. Also, it breaks lots of things. Really bad idea. : ICMP_BANDLIM isn't a very good fix for this exploit -- it merely limits some : of the secondary effects. Limiting or killing RSTs is much more effective. I have a patch that add RSTs to the mix, which does help a lot. : No, but it'll make it harder to figure out which 'sploits to try. It's the : difference between leaving the door visibly wide open and forcing the cracker : to TRY the door. If I can waste a cracker's time, I want to. Then why not have a strawman machine that responds in ways to make the hackers think it insecure, when in fact they are just yanking their chains :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001220452.VAA17629>