From owner-freebsd-net@FreeBSD.ORG Sun Apr 4 12:36:58 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31CA516A4CE; Sun, 4 Apr 2004 12:36:58 -0700 (PDT) Received: from starburst.demon.co.uk (adsl-02-198.abel.net.uk [193.109.51.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4509D43D46; Sun, 4 Apr 2004 12:36:54 -0700 (PDT) (envelope-from richard@starburst.demon.co.uk) Received: (from richard@localhost) by starburst.demon.co.uk (8.8.7/8.8.7) id UAA07933; Sun, 4 Apr 2004 20:38:31 +0100 From: Richard Wendland Message-Id: <200404041938.UAA07933@starburst.demon.co.uk> To: andre@freebsd.org (Andre Oppermann) Date: Sun, 4 Apr 2004 20:38:31 +0100 (BST) In-Reply-To: <406B3CC0.C277B933@freebsd.org> from "Andre Oppermann" at Mar 31, 2004 11:48:48 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: "Jacques A. Vidrine" cc: freebsd-net@freebsd.org Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: richard@wendland.org.uk List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 19:36:58 -0000 > We have the following sysctl's to withstand such an attack: > > net.inet.ip.maxfragpackets [800] > net.inet.ip.maxfragsperpacket [16] > Of course, when the maxfragpackets limit is reached by malicous > packets we are unable to process legitimate fragmented IP packets > until the malicous ones start to time out. There is nothing else > one can do to fight off such an attack. It would be possible to improve matters somewhat by having per-protocol limits. So for TCP, which with MSS and DF rarely fragments, there could be low limits. But for UDP (eg for NFS) which frequently fragments, there could be generous limits. So systems that only permit TCP and ICMP from non-trusted hosts could in an indirect way limit external attack, without eg hampering local UDP. This idea isn't even much of a layer violation, as the fragmentation id value is per protocol, so IP reassembly already takes account of which higher level protocol is involved. It would be reasonable to argue this is too inelegant for only a small improvement; and not worthwhile. What do you think? Taking this approach further would have packet filter rules controlling fragmentation limits. But that's adding a lot of complexity. NB Strictly shouldn't 'maxfragsperpacket' be 'maxfragsperdatagram' :-) Richard -- Richard Wendland richard@wendland.org.uk