Date: Fri, 21 Jan 2000 22:54:49 -0700 From: Brett Glass <brett@lariat.org> To: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Matthew Dillon <dillon@apollo.backplane.com> Cc: Keith Stevenson <k.stevenson@louisville.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <4.2.2.20000121224236.019bb940@localhost> In-Reply-To: <xzpg0vqllcg.fsf@flood.ping.uio.no> References: <Matthew Dillon's message of "Fri, 21 Jan 2000 18:45:07 -0800 (PST)"> <4.2.2.20000120194543.019a8d50@localhost> <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com> <20000121162757.A7080@osaka.louisville.edu> <xzpk8l2lul4.fsf@flood.ping.uio.no> <200001220245.SAA66403@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:35 PM 1/21/2000 , Dag-Erling Smorgrav wrote: >1) don't teach me how TCP_RESTRICT_RST works. I wrote it. > >2) it's not meant for protecting against attacks. > >You can figure the rest out for yourself. Well, here's what I plan to do. Matt is implementing a rate-limiting feature for RST packets, which is fine by me. I can understand his hesitancy to deviate from protocol. However, shortly after the system starts up (and uses RSTs to kill any old sessions that might be lingering from before the reboot), I personally want to stop sending RSTs. This will make me more resistant to some DoS attacks and probes except for a very short window of opportunity. So, I'll build my kernel with TCP_RESTRICT_RST but leave it off in rc.conf. At boot time, I'll use "at" to issue the command sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null with a time delay of maybe a minute. A cracker would have to probe me 24x7 for a very long time to find even one such minute, and even then couldn't do much more than a better probe. Now, all that's left to do is handle the multicast stuff and perhaps shorten a few paths in tcp_input.c. To whom do patches go? Warner? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000121224236.019bb940>