Logging TCP anomalies
Lowell Gilbert
freebsd-security-local at be-well.ilk.org
Mon Apr 27 19:49:25 UTC 2015
"Ronald F. Guilmette" <rfg at tristatelogic.com> writes:
> I am prompted to ask here whether or not FreeBSD performs any sort of
> logging of instances when "duplicate TCP packets but with different
> payloads" occurs, and/or whether FreeBSD provides any options which,
> for example, might automagically trigger a close of the relevant TCP
> connection when and if such an event is detected. (Connection close
> seems to me to be one possible mitigation strategy, even if it might
> be viewed as rather ham-fisted by some.)
As far as I can see, no. This would be a non-trivial application of
resources, so I wouldn't expect to see it be a standard part of the TCP
stack. Such a check would be better implemented as an optional
application of an API like BPF.
More information about the freebsd-security
mailing list