[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
Mike Silbersack
silby at silby.com
Fri Apr 23 16:34:48 PDT 2004
On Fri, 23 Apr 2004, jayanth wrote:
> > I think Darren's suggestion would be a reasonable compromise; use the
> > strict check in the ESTABLISHED state, and the permissive check otherwise.
> > Established connections are what would be attacked, so we need the
> > security there, but the closing states are where oddities seem to pop up,
> > so we can use the permissive check there.
> >
> > If this is acceptable, I'd like to get it committed this weekend so that
> > we can still get it into 4.10.
> >
>
> sure, that sounds reasonable. The sysctl should be good for yahoo.
>
> thanks,
> jayanth
There wouldn't be a sysctl, as you wouldn't need one, if I understand
things correctly. Since the "bad" RST is in response to the FreeBSD box
sending a FIN, the FreeBSD box would have already transitioned to
FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to
the check we're using at present.
Mike "Silby" Silbersack
More information about the freebsd-security
mailing list