Home » Mailing list archives » openbsd-misc » 2008 » June » 21

Re: sloppy states and dsr

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Ryan McBride <mcbride@...>
To: Darrin Chandler <dwchandler@...>
Cc: Ted Unangst <ted.unangst@...>, <misc@...>, Pierre-Yves Ritschard <pyr@...>
Subject: Re: sloppy states and dsr
Date: Friday, June 20, 2008 - 8:12 pm

On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote:


It's a fair statement if by 'forced' you mean, 'compelled beyond your

control, with no other options, having fully understood the consequences

and informed all relevant parties of the risks involved'.  This

"feature" is NOT a substitute for good network design.


sloppy state performs basically NO security checks on the TCP stream;

more importantly the TCP state tracking is extremely loose and it's

trivial for an attacker to spoof creation of "fully-established" TCP

connections, which will not time out for an extremely long time, filling

your state table and blocking legitimate traffic. It's dangerous.
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
sloppy states and dsr, Ted Unangst, (Fri Jun 20, 2:47 pm)
Re: sloppy states and dsr, Henning Brauer, (Mon Jun 30, 8:33 pm)
Re: sloppy states and dsr , Theo de Raadt, (Tue Jul 1, 2:35 am)
Re: sloppy states and dsr, Paul de Weerd, (Fri Jun 20, 8:24 pm)
Re: sloppy states and dsr, Pierre-Yves Ritschard, (Fri Jun 20, 2:58 pm)
Re: sloppy states and dsr, Darrin Chandler, (Fri Jun 20, 3:49 pm)
Re: sloppy states and dsr, Ryan McBride, (Fri Jun 20, 8:12 pm)
Re: sloppy states and dsr, Darrin Chandler, (Fri Jun 20, 8:58 pm)