Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack

From: Herbert Xu
Date: Mon Sep 20 2004 - 21:28:40 EST

Next message: Yu, Luming: "RE: [ACPI] PATCH-ACPI based CPU hotplug[2/6]-ACPI Eject interfacesupport"
Previous message: K.R. Foley: "Re: [patch] voluntary-preempt-2.6.9-rc2-mm1-S1"
In reply to: Florian Weimer: "Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack"
Next in thread: Florian Weimer: "Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Florian Weimer <fw@xxxxxxxxxxxxx> wrote:
>
>>> TCP-MD5 has no effect on ICMP based attacks.,
>>
>> Hmm, good point. Which attacks, and what could be done about them?
>> (other than IPsec protect all traffic between peers).
>
> You just filter ICMP packets, in the way RST packets are already
> filtered (i.e. rate limit).

Rate-limiting has no effect on ICMP attacks unless your limit is such
that you're effectively dropping them all. But then you get PMTU
problems...
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Yu, Luming: "RE: [ACPI] PATCH-ACPI based CPU hotplug[2/6]-ACPI Eject interfacesupport"
Previous message: K.R. Foley: "Re: [patch] voluntary-preempt-2.6.9-rc2-mm1-S1"
In reply to: Florian Weimer: "Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack"
Next in thread: Florian Weimer: "Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]