Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack

[Florian Weimer]

* Herbert Xu:

> Florian Weimer <fw@xxxxxxxxxxxxx> wrote:
>> 
>>>> TCP-MD5 has no effect on ICMP based attacks.,
>>>
>>> Hmm, good point. Which attacks, and what could be done about them? 
>>> (other than IPsec protect all traffic between peers).
>> 
>> You just filter ICMP packets, in the way RST packets are already
>> filtered (i.e. rate limit).
>
> Rate-limiting has no effect on ICMP attacks unless your limit is such
> that you're effectively dropping them all.

Yes, that's the idea.  Keep in mind that all this is about traffic
destined to a router interface address, not about forwarded traffic.

> But then you get PMTU problems...

PMTU discovery is not an issue because it's turned off anyway, at
least by default.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/