On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette <r...@tristatelogic.com> wrote: > I am prompted to ask here whether or not FreeBSD performs any sort of > logging of instances when "duplicate TCP packets but with different > payloads" occurs,
Not normally. Such things can be visible in netstat -s output as "completely duplicate packets", "packets with some dup. data", etc and maybe enabling network debugging sysctls would give more visibility. They'd also generate vast amounts of logging for normal network activity. > and/or whether FreeBSD provides any options which, > for example, might automagically trigger a close of the relevant TCP > connection when and if such an event is detected. (Connection close > seems to me to be one possible mitigation strategy, even if it might > be viewed as rather ham-fisted by some.) You need to be able to distinguish normal dup packets or dropping connections will break normal traffic. For that matter, an attacker could try to spoof legit connections and your countermeasure would presumably zap the legit connection. Use a firewall which tracks connection state, drops out-of-window packets, forces fragmented packet reassembly to be performed, uses protocol-aware proxies to validate the content of traffic where possible. Regards, -- -Chuck _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
