Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)

From: Herbert Xu
Date: Mon Jun 13 2005 - 00:28:14 EST

Next message: Dave Jones: "Re: [PATCH] Documentation: update sparse.txt to list actual location"
Previous message: Steven Rostedt: "Re: [PATCH] local_irq_disable removal"
In reply to: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
Next in thread: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jun 13, 2005 at 07:21:48AM +0200, Willy Tarreau wrote:
>
> > A much better place to do that is netfilter. If you do it there
> > then not only will your protect all Linux machines from this attack,
> > but you'll also protect all the other BSD-derived TCP stacks.
>
> Netfilter already blocks simultaneous connection. A SYN in return to
> a SYN produces an INVALID state.

Any reason why that isn't enough?
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Jones: "Re: [PATCH] Documentation: update sparse.txt to list actual location"
Previous message: Steven Rostedt: "Re: [PATCH] local_irq_disable removal"
In reply to: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
Next in thread: Willy Tarreau: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]