Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S267734AbUIUScz (ORCPT ); Tue, 21 Sep 2004 14:32:55 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S267934AbUIUScz (ORCPT ); Tue, 21 Sep 2004 14:32:55 -0400 Received: from mail.enyo.de ([212.9.189.167]:19470 "EHLO mail.enyo.de") by vger.kernel.org with ESMTP id S267734AbUIUScy (ORCPT ); Tue, 21 Sep 2004 14:32:54 -0400 To: Herbert Xu Cc: paul@clubi.ie, alan@lxorguk.ukuu.org.uk, vph@iki.fi, toon@hout.vanvergehaald.nl, admin@wolfpaw.net, kaukasoi@elektroni.ee.tut.fi, linux-kernel@vger.kernel.org Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack References: From: Florian Weimer Date: Tue, 21 Sep 2004 20:32:12 +0200 In-Reply-To: (Herbert Xu's message of "Tue, 21 Sep 2004 12:14:48 +1000") Message-ID: <873c1bjwwj.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 972 Lines: 27 * Herbert Xu: > Florian Weimer wrote: >> >>>> TCP-MD5 has no effect on ICMP based attacks., >>> >>> Hmm, good point. Which attacks, and what could be done about them? >>> (other than IPsec protect all traffic between peers). >> >> You just filter ICMP packets, in the way RST packets are already >> filtered (i.e. rate limit). > > Rate-limiting has no effect on ICMP attacks unless your limit is such > that you're effectively dropping them all. Yes, that's the idea. Keep in mind that all this is about traffic destined to a router interface address, not about forwarded traffic. > But then you get PMTU problems... PMTU discovery is not an issue because it's turned off anyway, at least by default. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/