[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
Mike Silbersack
silby at silby.com
Fri Apr 23 16:10:02 PDT 2004
On Fri, 23 Apr 2004, Don Lewis wrote:
> > What type of packet was causing the Alteons to emit the RST? SYN, FIN,
> > normal data?
> >
> > Also, has Alteon fixed the problem or do their load balancers still
> > exhibit the behavior?
>
> The link I posted showed it was a FIN, and after the RST was sent (and
> ignored by the FreeBSD stack because of the strict sequence number
> check), the Alteon (or whatever it was) did not respond to the
> retransmissions of the FIN packet.
>
> Maybe we can get by with the strict check by default and add a sysctl to
> revert to the permissive check.
I think Darren's suggestion would be a reasonable compromise; use the
strict check in the ESTABLISHED state, and the permissive check otherwise.
Established connections are what would be attacked, so we need the
security there, but the closing states are where oddities seem to pop up,
so we can use the permissive check there.
If this is acceptable, I'd like to get it committed this weekend so that
we can still get it into 4.10.
Mike "Silby" Silbersack
More information about the freebsd-security
mailing list