Date: Fri, 23 Apr 2004 16:19:36 -0700 From: jayanth <jayanth@yahoo-inc.com> To: Mike Silbersack <silby@silby.com> Cc: kernel@yahoo-inc.com Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) Message-ID: <20040423231936.GC21555@yahoo-inc.com> In-Reply-To: <20040423182801.G5436@odysseus.silby.com> References: <200404231041.i3NAfR7E051507@gw.catspoiler.org> <20040423182801.G5436@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Silbersack (silby@silby.com) wrote: > > On Fri, 23 Apr 2004, Don Lewis wrote: > > > > What type of packet was causing the Alteons to emit the RST? SYN, FIN, > > > normal data? > > > > > > Also, has Alteon fixed the problem or do their load balancers still > > > exhibit the behavior? > > > > The link I posted showed it was a FIN, and after the RST was sent (and > > ignored by the FreeBSD stack because of the strict sequence number > > check), the Alteon (or whatever it was) did not respond to the > > retransmissions of the FIN packet. > > > > Maybe we can get by with the strict check by default and add a sysctl to > > revert to the permissive check. > > I think Darren's suggestion would be a reasonable compromise; use the > strict check in the ESTABLISHED state, and the permissive check otherwise. > Established connections are what would be attacked, so we need the > security there, but the closing states are where oddities seem to pop up, > so we can use the permissive check there. > > If this is acceptable, I'd like to get it committed this weekend so that > we can still get it into 4.10. > sure, that sounds reasonable. The sysctl should be good for yahoo. thanks, jayanth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423231936.GC21555>