mbuf vulnerability
Darren Reed
avalon at caligula.anu.edu.au
Tue Mar 2 08:13:42 PST 2004
In some mail from Stefan Bethke, sie said:
>
> Am 01.03.2004 um 18:42 schrieb Mike Silbersack:
> > A specially constructed stateful firewall could be constructed to deal
> > with this DoS, but I'm certain that there's no way you could use ipf or
> > anything preexisting to do the job.
IPFilter v4 can prevent this attack with:
pass in .. proto tcp ... keep state(strict)
> OpenBSD's pf scrubbing should be helpful here. From the FAQ:
> > The scrub directive also reassembles fragmented packets, protecting
> > some operating systems from some forms of attack.
> <http://www.openbsd.org/faq/pf/scrub.html>
Uh, no, "scrub" dosn't protect against this attack at all (or at least
not according to that web page.)
Darren
More information about the freebsd-security
mailing list