I agree, but what's most important is to maintain backward compatibility. If one breaks it, it's a DoS is some sense. I also saw some postings on NetBSD which does ratelimiting of ACKs (in response to SYNs), and ACKs RST. IMHO, the latter is bogus - why ACK a RST? And, the former may impose an artificial limit of some sort.
Alan Evans --- Andre Oppermann <[EMAIL PROTECTED]> wrote: > Chuck Swiger wrote: > > > > Alan Evans wrote: > > > I'm sure FreeBSD is vulnerable. > > > > > > > http://www.us-cert.gov/cas/techalerts/TA04-111A.html > > > > > > There's a draft that (sort of) addresses this. > Should > > > we adopt it? > > > > This issue is being discussed on freebsd-security > now, and Mike Silbersack > > <[EMAIL PROTECTED]> has some patches available for > review and testing. > > There has been an additional problem in some BSD > stacks with RST's > which has been fixed in FreeBSD about six years ago. > The remaining > things which are addressed in that paper are > hardening measures to > reduce the chances of a brute force blind attack. > There *no* vulner- > ablility in the sense of "send packet x" and > everything breaks. > > -- > Andre _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
