In message <20050511145935.GC2551@cc335-gr01.ece-int.gatech.edu>,
Dheeraj S writes:

>Quoting the original author from another BSD from where I stole the idea
>shamelessly.
>
>"While working on a fix for a denial of service attack involving out-of-order 
>TCP packets, [...]

Now _that_ sounds interesting and worth having.

Has anyone reviewied the FreeBSD fix for such attacks?  The FreeBSD
fix is readily available as

   ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch


FreeBSD also has a defense against a broadly similar CPU-exhaustion
DoS attack by sending lots and lots of tiny in-order segments
(FreeBSD-5.2 MFC revisions quoted below).  The FreeBSD-5 change
estimates mean segment size once per second per connection. If the
estimated mean segment-size is tiny and the rate is high, the
connection is aborted.

Anyone else interested in either one?  (Or do we already have them and
my tree is out-of-date?)


--------- begin quoted FreeBSD commit message --------
Andre       2004/01/09 04:32:36 PST

  FreeBSD src repository

  Modified files:        (Branch: RELENG_5_2)
    sys/netinet          ip_icmp.c tcp.h tcp_input.c tcp_usrreq.c 
                         tcp_var.h 
  Log:
  MFC: Limiters and sanity checks for TCP MSS resource exhaustion attacks.
  
  The net.inet.tcp.minmssoverload is set to zero and thus connection drop
  is disabled by default.
  
  Approved by:    re (scottl)
  
  Revision   Changes    Path
  1.85.2.1   +4 -2      src/sys/netinet/ip_icmp.c
  1.18.6.1   +19 -1     src/sys/netinet/tcp.h
  1.217.2.1  +60 -0     src/sys/netinet/tcp_input.c
  1.90.2.1   +2 -1      src/sys/netinet/tcp_usrreq.c
  1.93.2.1   +7 -0      src/sys/netinet/tcp_var.h
--------- end quoted FreeBSD commit message --------