On Mon, Apr 27, 2015 at 03:12:43PM -0700, Ronald F. Guilmette wrote: > > In message <a83fb715-936e-4a43-ae2d-e76c32d0f...@mac.com>, > Charles Swiger <cswi...@mac.com> wrote: > > >On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette <r...@tristatelogic.com> > >wrot > >e: > ... > >> and/or whether FreeBSD provides any options which, > >> for example, might automagically trigger a close of the relevant TCP > >> connection when and if such an event is detected. (Connection close > >> seems to me to be one possible mitigation strategy, even if it might > >> be viewed as rather ham-fisted by some.) > > > >You need to be able to distinguish normal dup packets > > Yes. > > As I understand it, (verbatim) duplicate packets can sometimes arrive at > an endpoint due simply to network anomalies. However as I understand it, > those will typically have identical lengths and payloads. If I read that > news article correctly, then the spoofed packets at issue will have the > same sequence numbers as legit ones, but different lengths and/or payloads.
different lengths is legitime -- in case of sender resend-packets and reduce packet sizes (for example from differen interface with different MTU). _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
