Tim: Good summary! You might want to add that, under FreeBSD 3.4 and FreeBSD-Current, you can also turn on tcp_restrict_rst and it will help some (not an ideal fix, but it's something that can be done quickly. You will most likely have to recompile the kernel with the TCP_RESTRICT_RST option first, because it is not there by default. The kernel still spends more time than it should figuring out that the ACK is bogus, but at least once it does, it drops it cold. It does not try to send a RST (which, in turn, may generate an ICMP "unreachable" message from the router since the source address is spoofed). This ought to prevent the system from doing more than slowing down a bit if it's attacked. Folks who need to rewrite their firewall rules to move from IPFW to IPFilter can do this while they're working on the conversion. To turn on tcp_restrict_rst, recompile your kernel with the option TCP_RESTRICT_RST and then turn on tcp_restrict_rst in rc.conf. --Brett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:58 PDT