Need urgent help regarding security

Lowell Gilbert freebsd-security-local at be-well.ilk.org
Tue Nov 22 11:48:57 PST 2005


> >Be careful with adding ip addresses to deny via a packet filter.
> >If an attacker uses spoofed IP adresses, you may produce yourself
> >easily a denial of service attack.
> 
> Not sure I agree with the easily part.  TCP transport plus SSH
> protocol spoofing is not a vector that normally needs to be secured
> beyond what is already done in the kernel and router.  That's not to
> say such spoofing cannot be done, just that it is rare and would
> require a compromised router or localnet host at a minimum.

Except that it doesn't require spoofed addresses.  One attacker from the
local university's computer center (or from a large shell service ISP)
could lock out all of the other users on that machine.  Trivially.


More information about the freebsd-security mailing list