On Tue, 8 Nov 2005, Lars Eggert wrote:
Also note that other attacks against long-lived TCP connections are still
possible, e.g., through spoofed ICMP packets.
I don't think we've been vulnerable to the ICMP-based reset attack for a
few years, actually. Using SYN packets is the best method,
On Tue, Nov 08, 2005 at 01:56:41PM -0800, Lars Eggert wrote:
> On Nov 8, 2005, at 12:46, Marc Olzheim wrote:
> >Being on the wrong end of a distributed tcp syn flood attack atm.
> >on the
> >machine I'm mailing from, is probably enough to convince me of its
> >use.
>
> The change we are discus
On Nov 8, 2005, at 12:46, Marc Olzheim wrote:
Being on the wrong end of a distributed tcp syn flood attack atm.
on the
machine I'm mailing from, is probably enough to convince me of its
use.
The change we are discussing is not protecting you from SYN floods,
it is supposed to protect you f
On Nov 8, 2005, at 11:54, Mathieu CHATEAU wrote:
1/it can be set back if needed
It can be enabled, too, if needed.
2/95% of users will get benefits against 5% that will disable it
I'd love to see a source for those numbers.
3/over the time, i am having above 70 lines in sysctl.conf to get
Hi,
On Nov 8, 2005, at 11:23, Mike Silbersack wrote:
I'm open to discussing the change. I plan to revisit that and the
SYN causing a connection reset issue after eurobsdcon.
good to know, thanks!
However, I'm open to clubbing you over the head for not saying
anything throughout the enti
On Tue, Nov 08, 2005 at 11:02:25AM -0800, Lars Eggert wrote:
> Thus, I'd like to suggest that the default for
> net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod
> came disabled be default in the past, too.
Being on the wrong end of a distributed tcp syn flood attack atm. on
On Tue, Nov 08, 2005 at 11:02:25AM -0800, Lars Eggert wrote:
> Hi,
>
> I came across the following in the release notes of 6.0 recently:
>
> "The RST handling of the FreeBSD TCP stack has been improved to make
> reset attacks as difficult as possible while maintaining
> compatibility with the
hello,
to start with, i don't want to raise a troll...
argue to keep it set:
1/it can be set back if needed
2/95% of users will get benefits against 5% that will disable it
3/over the time, i am having above 70 lines in sysctl.conf to get
FreeBSD secured and the network strong and fast.
4/the 5%
On Tue, 8 Nov 2005, Lars Eggert wrote:
Thus, I'd like to suggest that the default for net.inet.tcp.insecure_rst be
zero for now. AFAIK, any other TCP mod came disabled be default in the past,
too.
Lars
I'm open to discussing the change. I plan to revisit that and the SYN
causing a connec
Hi,
I came across the following in the release notes of 6.0 recently:
"The RST handling of the FreeBSD TCP stack has been improved to make
reset attacks as difficult as possible while maintaining
compatibility with the widest range of TCP stacks. (...) Note that
this behavior technically v
10 matches
Mail list logo
