Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S268861AbUIMTK2 (ORCPT ); Mon, 13 Sep 2004 15:10:28 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S268884AbUIMTK2 (ORCPT ); Mon, 13 Sep 2004 15:10:28 -0400 Received: from pauli.thundrix.ch ([213.239.201.101]:18638 "EHLO pauli.thundrix.ch") by vger.kernel.org with ESMTP id S268861AbUIMTKU (ORCPT ); Mon, 13 Sep 2004 15:10:20 -0400 Date: Mon, 13 Sep 2004 21:07:41 +0200 From: Tonnerre To: Willy Tarreau Cc: Paul Jakma , Toon van der Pas , Alan Cox , Wolfpaw - Dale Corse , kaukasoi@elektroni.ee.tut.fi, Linux Kernel Mailing List Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack Message-ID: <20040913190741.GD19399@thundrix.ch> References: <002301c498ee$1e81d4c0$0200a8c0@wolf> <1095008692.11736.11.camel@localhost.localdomain> <20040912192331.GB8436@hout.vanvergehaald.nl> <20040913041846.GD2780@alpha.home.local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="iVCmgExH7+hIHJ1A" Content-Disposition: inline In-Reply-To: <20040913041846.GD2780@alpha.home.local> X-GPG-KeyID: 0x8BE1C38D X-GPG-Fingerprint: 1AB0 9AD6 D0C8 B9D5 C5C9 9C2A FF86 CBEE 8BE1 C38D X-GPG-KeyURL: http://users.thundrix.ch/~tonnerre/tonnerre.asc User-Agent: Mutt/1.5.6+20040803i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1244 Lines: 40 --iVCmgExH7+hIHJ1A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Salut, On Mon, Sep 13, 2004 at 06:18:47AM +0200, Willy Tarreau wrote: > > The BGP state machine should instead, in normal operation, have=20 > > only treated Hold time expired as the definitive sign of "peer is=20 > > down" and allowed reconnects. >=20 > It should not necessarily wait for the time-out, but at least wait for > a few reconnect errors. Problem there: you can fake connection errors almost as easily as sending an RST packet, so the DoS might reappear, might it not? Tonnerre --iVCmgExH7+hIHJ1A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.2 (GNU/Linux) iD4DBQFBRe/8/4bL7ovhw40RAns4AKCEHPFN5dKLrmwgdJuE+UK2w5pdNQCXdE7t Ipp+iizNsDSClV0ExUFb+w== =RsZd -----END PGP SIGNATURE----- --iVCmgExH7+hIHJ1A-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/