Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
From: Mike Silbersack (silby_at_silby.com)
Date: 04/24/04
- Previous message: Mike Silbersack: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Maybe in reply to: Darren Reed: "[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Apr 2004 18:57:20 -0500 (CDT) To: jayanth <jayanth@yahoo-inc.com>
On Fri, 23 Apr 2004, jayanth wrote:
> > I think Darren's suggestion would be a reasonable compromise; use the
> > strict check in the ESTABLISHED state, and the permissive check otherwise.
> > Established connections are what would be attacked, so we need the
> > security there, but the closing states are where oddities seem to pop up,
> > so we can use the permissive check there.
> >
> > If this is acceptable, I'd like to get it committed this weekend so that
> > we can still get it into 4.10.
> >
>
> sure, that sounds reasonable. The sysctl should be good for yahoo.
>
> thanks,
> jayanth
There wouldn't be a sysctl, as you wouldn't need one, if I understand
things correctly. Since the "bad" RST is in response to the FreeBSD box
sending a FIN, the FreeBSD box would have already transitioned to
FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to
the check we're using at present.
Mike "Silby" Silbersack
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Mike Silbersack: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Maybe in reply to: Darren Reed: "[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
