* Jesper Skriver <[EMAIL PROTECTED]> [001118 06:54] wrote:
> On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote:
> > * Jesper Skriver <[EMAIL PROTECTED]> [001117 12:11] wrote:
> > [snip]
> > >
> > > This timeout could be avoided if the sending mail server reacted to the
> > > 'ICMP administratively prohibited' they got from our router.
> > [snip]
> > >
> > > $ telnet nemo.dyndns.dk 25
> > > Trying 193.89.247.125...
> > > telnet: Unable to connect to remote host: No route to host
> > > $ uname -a
> > > Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> > >
> > > Wouldn't it be a idea to implement a similar behaviour in FreeBSD ?
> >
> > Probably not, what if one started a stream of spoofed ICMP lying
> > about the state of the route between the two machines? I have
> > the impression that the Linux box wouldn't be able to connect
> > because of this behavior.
>
> Correct, a attacker could in theory make sure we couldn't connect to
> a given remote box, but as I see it, it's mostly in teory.
>
> We could only react to this if we had a TCP session where we was
> waiting for a SYN/ACK from this specific host, this only leaves a very
> narrow window for a attacker to abuse, as he had to know both
> destination and time.
>
> Do you agree ?
If I agreed I wouldn't have objected in the first place. :(
--
-Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]]
"I have the heart of a child; I keep it in a jar on my desk."
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
