Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S267374AbUITWDi (ORCPT ); Mon, 20 Sep 2004 18:03:38 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S267195AbUITWDi (ORCPT ); Mon, 20 Sep 2004 18:03:38 -0400 Received: from mail.enyo.de ([212.9.189.167]:22789 "EHLO mail.enyo.de") by vger.kernel.org with ESMTP id S267374AbUITWDI (ORCPT ); Mon, 20 Sep 2004 18:03:08 -0400 To: Paul Jakma Cc: Alan Cox , Ville Hallivuori , Toon van der Pas , Wolfpaw - Dale Corse , kaukasoi@elektroni.ee.tut.fi, Linux Kernel Mailing List Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack References: <002301c498ee$1e81d4c0$0200a8c0@wolf> <1095008692.11736.11.camel@localhost.localdomain> <20040912192331.GB8436@hout.vanvergehaald.nl> <20040913201113.GA5453@vph.iki.fi> <1095174633.16990.19.camel@localhost.localdomain> <1095178175.17043.50.camel@localhost.localdomain> From: Florian Weimer Date: Tue, 21 Sep 2004 00:02:46 +0200 In-Reply-To: (Paul Jakma's message of "Tue, 14 Sep 2004 18:17:53 +0100 (IST)") Message-ID: <87zn3kmwe1.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 818 Lines: 21 * Paul Jakma: >> TCP-MD5 has no effect on ICMP based attacks., > > Hmm, good point. Which attacks, and what could be done about them? > (other than IPsec protect all traffic between peers). You just filter ICMP packets, in the way RST packets are already filtered (i.e. rate limit). The only TCP desynchronization attack that has a chance of working practice is the SYN-based one. The rate limit for RST processing on Cisco routers is far too low. (Mixed Cisco/Quagga environments are a different matter, but rather unusual and easily DoSed anyway, most of the time.) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/