Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fw

Mike Silbersack (silby@silby.com) wrote:
> 
> On Fri, 23 Apr 2004, Don Lewis wrote:
> 
> > > What type of packet was causing the Alteons to emit the RST?  SYN, FIN,
> > > normal data?
> > >
> > > Also, has Alteon fixed the problem or do their load balancers still
> > > exhibit the behavior?
> >
> > The link I posted showed it was a FIN, and after the RST was sent (and
> > ignored by the FreeBSD stack because of the strict sequence number
> > check), the Alteon (or whatever it was) did not respond to the
> > retransmissions of the FIN packet.
> >
> > Maybe we can get by with the strict check by default and add a sysctl to
> > revert to the permissive check.
> 
> I think Darren's suggestion would be a reasonable compromise; use the
> strict check in the ESTABLISHED state, and the permissive check otherwise.
> Established connections are what would be attacked, so we need the
> security there, but the closing states are where oddities seem to pop up,
> so we can use the permissive check there.
> 
> If this is acceptable, I'd like to get it committed this weekend so that
> we can still get it into 4.10.
> 

sure, that sounds reasonable. The sysctl should be good for yahoo.

thanks,
jayanth
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"