Bugtraq mailing list archives
Re: explanation and code for stream.c issues
From: brett () LARIAT ORG (Brett Glass)
Date: Fri, 21 Jan 2000 13:43:43 -0700
Tim: Good summary! You might want to add that, under FreeBSD 3.4 and FreeBSD-Current, you can also turn on tcp_restrict_rst and it will help some (not an ideal fix, but it's something that can be done quickly. You will most likely have to recompile the kernel with the TCP_RESTRICT_RST option first, because it is not there by default. The kernel still spends more time than it should figuring out that the ACK is bogus, but at least once it does, it drops it cold. It does not try to send a RST (which, in turn, may generate an ICMP "unreachable" message from the router since the source address is spoofed). This ought to prevent the system from doing more than slowing down a bit if it's attacked. Folks who need to rewrite their firewall rules to move from IPFW to IPFilter can do this while they're working on the conversion. To turn on tcp_restrict_rst, recompile your kernel with the option TCP_RESTRICT_RST and then turn on tcp_restrict_rst in rc.conf. --Brett
Current thread:
- Re: ICQ Buffer Overflow Exploit Thomas Maschutznig (Jan 15)
- <Possible follow-ups>
- Re: ICQ Buffer Overflow Exploit x-x-x-x-x-x-x-x-x (Jan 18)
- Re: ICQ Buffer Overflow Exploit Bryce Walter (Jan 18)
- Re: ICQ Buffer Overflow Exploit Jeremy Johnson (Jan 19)
- Re: ICQ Buffer Overflow Exploit Nick Summy (Jan 19)
- Re: ICQ Buffer Overflow Exploit Dylan Griffiths (Jan 19)
- explanation and code for stream.c issues Tim Yardley (Jan 21)
- Re: explanation and code for stream.c issues Tim Yardley (Jan 21)
- Re: explanation and code for stream.c issues Tim Yardley (Jan 21)
- Re: explanation and code for stream.c issues Erik Fichtner (Jan 21)
- Re: explanation and code for stream.c issues Brett Glass (Jan 21)
- S/Key & OPIE Database Vulnerability harikiri (Jan 21)
- Re: S/Key & OPIE Database Vulnerability David Maxwell (Jan 23)
- S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 23)
- Re: S/Key & OPIE Database Vulnerability Evil Pete (Jan 24)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Stream.c needs more clarification Vanja Hrustic (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)