[12917] in bugtraq
Re: FTP denial of service attack
daemon@ATHENA.MIT.EDU (antirez@INVECE.ORG)
Fri Dec 10 12:25:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991209111713.A170@nagash.suidshell.net>
Date: Thu, 9 Dec 1999 11:17:13 +0100
Reply-To: antirez@invece.org
From: antirez@INVECE.ORG
X-To: bert hubert <ahu@CASEMA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991207224008.A4717@server.ds9a.tudelft.nl>; from
ahu@CASEMA.NET on Tue, Dec 07, 1999 at 10:40:09PM +0100
On Tue, Dec 07, 1999 at 10:40:09PM +0100, bert hubert wrote:
> The free unixes these days mostly come with packet filtering available by
> default, these might be best off. One could imagine a 'libfilter' which
> would easily allow daemons with the right permissions/capabilities to
> instruct the kernel to not accept connections anymore from a certain host.
Also as osserved by Pancrazio De Mauro there are not reasons
to know the client IP only after accept(2) the connection.
The SYN packet contains the IP address so it's possible to
implement for example an accept2 that return just after SYN
was received so we can obtain the IP address and then use
accpet2_reset() to RST or accept2_ok() to follow the threeway
handshake. Since this can be implemented using new syscall
API compatibility is preserved, but this seems a lot better
than modify on the fly firewalling rules.
antirez
