Other possible protection against RST/SYN attacks (was Re: TCP
RST attack
Mike Tancsa
mike at sentex.net
Wed Apr 21 09:29:50 PDT 2004
One other technique that might help with respect to this attack is what
Cisco implemented, commonly known as the "TTL hack"
http://www.nanog.org/mtg-0302/hack.html
I have not tried it yet, and I am not sure of the implications. But on bgp
speaking hosts, what if the following were done.
Assuming these are directly connected peers,
sysctl -w net.inet.ip.ttl=255
ipfw add 500 allow tcp from any to me 179 ipttl 255
ipfw add 600 deny log tcp from any to me 179
You would also need to cover the source ports. Not sure what the cleanest
looking rule for that would be.
What nasty side effects would this cause ? If the attacker were on the
same subnet this would not do anything, but you have larger problems if
this is the case.
---Mike
At 07:10 AM 21/04/2004, Jacques A. Vidrine wrote:
>On Tue, Apr 20, 2004 at 01:32:40PM -0700, Dragos Ruiu wrote:
> > Also keep in mind ports are predictable to varying degrees depending on
> > the vendor or OS, which further reduces the brute force space you have to
> > go though without sniffing.
>
>This is exactly why I ported OpenBSD's TCP ephemeral port allocation
>randomization to FreeBSD-CURRENT (although I asked Mike Silby to commit
>it for me and take the blame if it broke :-). It will also be MFC'd
>shortly in time for 4.10-RELEASE.
>
>Cheers,
>--
>Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the freebsd-security
mailing list