On 23 Apr, Mike Silbersack wrote: > > Here's my proposed patch to change RST handling so that ESTABLISHED > connections are subject to strict RST checking, but connections in other > states are only subject to the "within the window" check. Part 2 of the > patch is simply a patch to netstat so that it displays the statistic. > > As expected, it's very straightforward, the only real question is what to > call the statistic... "Ignored RSTs in the window" isn't the best > description. > > FWIW, I've been testing with the exploit code > (reset-tcp-rfc31337-compliant.c from osvdb-4030-exploit.zip), and this > change does indeed defeat the attack. It took me a while to get the code > working, they really munged up the libnet calls, but I guess that was the > intent. > + if (tp->last_ack_sent != th->th_seq) { I'd reverse the operand order here to match the operand order of the enclosing "if" block. Other than that tiny nit, this looks fine. What is our status with regards to the spoofed SYN version of the attack? _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"