Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack

[Willy Tarreau]

On Mon, Sep 13, 2004 at 09:07:41PM +0200, Tonnerre wrote:
> Salut,
> 
> On Mon, Sep 13, 2004 at 06:18:47AM +0200, Willy Tarreau wrote:
> > > The BGP state machine should instead, in normal operation, have 
> > > only treated Hold time expired as the definitive sign of "peer is 
> > > down" and allowed reconnects.
> > 
> > It should not necessarily wait for the time-out, but at least wait for
> > a few reconnect errors.
> 
> Problem  there: you  can fake  connection errors  almost as  easily as
> sending an RST packet, so the DoS might reappear, might it not?
> 

No, as long as you don't keep the routes from the old session until the
new one establishes and fills up (or you reach the timeout). And when I
spoke about "connection errors", I really spoke about connection
establishment. I bet you'll have more difficulties trying to send the
right RST just after a SYN (or an ICMP unreachable with the right payload)
than sending them once the session is already established. It does make
a big difference.

Willy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/