Date: Tue, 14 Sep 2004 15:55:06 +0100 (IST)
From: Paul Jakma <paul@clubi.ie>
To: Ville Hallivuori <vph@iki.fi>
cc: Toon van der Pas <toon@hout.vanvergehaald.nl>,
       Alan Cox <alan@lxorguk.ukuu.org.uk>,
       Wolfpaw - Dale Corse <admin@wolfpaw.net>, kaukasoi@elektroni.ee.tut.fi,
       Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial
 of Service Attack
In-Reply-To: <20040913201113.GA5453@vph.iki.fi>
Message-ID: <Pine.LNX.4.61.0409141553260.23011@fogarty.jakma.org>
References: <002301c498ee$1e81d4c0$0200a8c0@wolf> <1095008692.11736.11.camel@localhost.localdomain>
 <20040912192331.GB8436@hout.vanvergehaald.nl> <Pine.LNX.4.61.0409130413460.23011@fogarty.jakma.org>
 <Pine.LNX.4.61.0409130425440.23011@fogarty.jakma.org> <20040913201113.GA5453@vph.iki.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 945
Lines: 25

On Mon, 13 Sep 2004, Ville Hallivuori wrote:

> Actually you can treat TCP session failure as transient error. Just 
> use BGP graceful restart (witch basically allows re-opening TCP 
> connection without losing routing tables).
>
> http://www.ietf.org/internet-drafts/draft-ietf-idr-restart-10.txt

Hmm, yes, I hadnt thought of the attack-mitigating aspects of 
graceful restart. Though, without other measures, the session is 
still is open to abuse (send RST every second).

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Wit, n.:
 	The salt with which the American Humorist spoils his cookery
 	... by leaving it out.
 		-- Ambrose Bierce, "The Devil's Dictionary"
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/