Re: mbuf vulnerability
From: Mike Silbersack (silby_at_silby.com)
Date: 03/02/04
- Previous message: Darren Reed: "Re: mbuf vulnerability"
- In reply to: Darren Reed: "Re: mbuf vulnerability"
- Next in thread: Darren Reed: "Re: mbuf vulnerability"
- Reply: Darren Reed: "Re: mbuf vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 2 Mar 2004 11:18:01 -0600 (CST) To: Darren Reed <avalon@caligula.anu.edu.au>
On Wed, 3 Mar 2004, Darren Reed wrote:
> IPFilter v4 can prevent this attack with:
>
> pass in .. proto tcp ... keep state(strict)
Nope, I just tested this. Well, I should say that it doesn't provide any
protection with "keep state"... what does (strict) mean? The ipf in
FreeBSD doesn't seem to support it.
> > OpenBSD's pf scrubbing should be helpful here. From the FAQ:
> > > The scrub directive also reassembles fragmented packets, protecting
> > > some operating systems from some forms of attack.
> > <http://www.openbsd.org/faq/pf/scrub.html>
>
> Uh, no, "scrub" dosn't protect against this attack at all (or at least
> not according to that web page.)
>
> Darren
Also true, as this has nothing to do with ip fragments.
Mike "Silby" Silbersack
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Darren Reed: "Re: mbuf vulnerability"
- In reply to: Darren Reed: "Re: mbuf vulnerability"
- Next in thread: Darren Reed: "Re: mbuf vulnerability"
- Reply: Darren Reed: "Re: mbuf vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
