Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: explanation and code for stream.c issues

From: brett () LARIAT ORG (Brett Glass)
Date: Fri, 21 Jan 2000 13:43:43 -0700

Tim:

Good summary!

You might want to add that, under FreeBSD 3.4 and FreeBSD-Current,
you can also turn on tcp_restrict_rst and it will help some (not
an ideal fix, but it's something that can be done quickly.
You will most likely have to recompile the kernel
with the TCP_RESTRICT_RST option first, because it is not there
by default. The kernel still spends more time than it should
figuring out that the ACK is bogus, but at least once it does,
it drops it cold. It does not try to send a RST (which, in turn,
may generate an ICMP "unreachable" message from the router since
the source address is spoofed). This ought to prevent the system
from doing more than slowing down a bit if it's attacked.

Folks who need to rewrite their firewall rules to move from IPFW
to IPFilter can do this while they're working on the conversion.

To turn on tcp_restrict_rst, recompile your kernel with the
option TCP_RESTRICT_RST and then turn on tcp_restrict_rst in
rc.conf.

--Brett
Previous By Date Next
Previous By Thread Next

Current thread: