Other possible protection against RST/SYN attacks (was Re: TCP RST attack

From: Mike Tancsa (mike_at_sentex.net)
Date: 04/21/04

  • Next message: Jacques A. Vidrine: "Re: Other possible protection against RST/SYN attacks (was Re: TCP RST attack" 
    Date: Wed, 21 Apr 2004 12:30:40 -0400
To: freebsd-security@FreeBSD.org

    One other technique that might help with respect to this attack is what
    Cisco implemented, commonly known as the "TTL hack"

    http://www.nanog.org/mtg-0302/hack.html

    I have not tried it yet, and I am not sure of the implications. But on bgp
    speaking hosts, what if the following were done.

    Assuming these are directly connected peers,

    sysctl -w net.inet.ip.ttl=255

    ipfw add 500 allow tcp from any to me 179 ipttl 255
    ipfw add 600 deny log tcp from any to me 179

    You would also need to cover the source ports. Not sure what the cleanest
    looking rule for that would be.

    What nasty side effects would this cause ? If the attacker were on the
    same subnet this would not do anything, but you have larger problems if
    this is the case.

             ---Mike

    At 07:10 AM 21/04/2004, Jacques A. Vidrine wrote:
    >On Tue, Apr 20, 2004 at 01:32:40PM -0700, Dragos Ruiu wrote:
    > > Also keep in mind ports are predictable to varying degrees depending on
    > > the vendor or OS, which further reduces the brute force space you have to
    > > go though without sniffing.
    >
    >This is exactly why I ported OpenBSD's TCP ephemeral port allocation
    >randomization to FreeBSD-CURRENT (although I asked Mike Silby to commit
    >it for me and take the blame if it broke :-). It will also be MFC'd
    >shortly in time for 4.10-RELEASE.
    >
    >Cheers,
    >--
    >Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Jacques A. Vidrine: "Re: Other possible protection against RST/SYN attacks (was Re: TCP RST attack"

    Relevant Pages

    • Re: 8 port firewall recomendation
      ... Of course, all you need to do, to increase the number of ports, is to spend ... In fact, you could buy a SINGLE port firewall, and use an external hub: ... > death", IP spoofing, land attack, tear drop attack, IP address sweep ...
      (comp.security.firewalls)
    • 8 port firewall recomendation
      ... least 5 ports, which puts me in the 8 port arena. ... SOHO router do. ... and make an 8 port firewall router suggestion? ... death", IP spoofing, land attack, tear drop attack, IP address sweep ...
      (comp.security.firewalls)
    • Re: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
      ... no OS that listens on ports ... and firewalls can defend against all ... The only attack that you can pull on a ... More and more ISPs are blocking port 135 ...
      (Full-Disclosure)
    • Re: Attempt of being hacked -- protection?
      ... Ie, if those ports changed in a few second timescale, that was probably it. ... >attempt for, let's say a couple of hours, when such a systematic attack ... (at least the detection part should not be too hard). ... it is an attack using simple passwords. ...
      (comp.os.linux.security)
    • Re: SuSE Firewall
      ... If you have seen any type of attack it means eithere you're a good admin (no ... services running behind this ports to be hacked. ... If there is a security hole in ssh that nobody knows ... of open ports, ...
      (alt.os.linux.suse)