[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
jayanth
jayanth at yahoo-inc.com
Fri Apr 23 16:20:00 PDT 2004
Mike Silbersack (silby at silby.com) wrote:
>
> On Fri, 23 Apr 2004, Don Lewis wrote:
>
> > > What type of packet was causing the Alteons to emit the RST? SYN, FIN,
> > > normal data?
> > >
> > > Also, has Alteon fixed the problem or do their load balancers still
> > > exhibit the behavior?
> >
> > The link I posted showed it was a FIN, and after the RST was sent (and
> > ignored by the FreeBSD stack because of the strict sequence number
> > check), the Alteon (or whatever it was) did not respond to the
> > retransmissions of the FIN packet.
> >
> > Maybe we can get by with the strict check by default and add a sysctl to
> > revert to the permissive check.
>
> I think Darren's suggestion would be a reasonable compromise; use the
> strict check in the ESTABLISHED state, and the permissive check otherwise.
> Established connections are what would be attacked, so we need the
> security there, but the closing states are where oddities seem to pop up,
> so we can use the permissive check there.
>
> If this is acceptable, I'd like to get it committed this weekend so that
> we can still get it into 4.10.
>
sure, that sounds reasonable. The sysctl should be good for yahoo.
thanks,
jayanth
More information about the freebsd-security
mailing list