From owner-freebsd-net@FreeBSD.ORG Sun Apr 4 14:18:08 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FB0116A4CE for ; Sun, 4 Apr 2004 14:18:08 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 26D0C43D39 for ; Sun, 4 Apr 2004 14:18:08 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 99474 invoked from network); 4 Apr 2004 21:18:07 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 4 Apr 2004 21:18:07 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sun, 4 Apr 2004 16:18:05 -0500 (CDT) From: Mike Silbersack To: Barney Wolff In-Reply-To: <20040404195950.GA20607@pit.databus.com> Message-ID: <20040404160909.D29958@odysseus.silby.com> References: <406B3CC0.C277B933@freebsd.org> <200404041938.UAA07933@starburst.demon.co.uk> <20040404195950.GA20607@pit.databus.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org cc: richard@wendland.org.uk Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 21:18:08 -0000 On Sun, 4 Apr 2004, Barney Wolff wrote: > On Sun, Apr 04, 2004 at 08:38:31PM +0100, Richard Wendland wrote: > > > > It would be possible to improve matters somewhat by having per-protocol > > limits. So for TCP, which with MSS and DF rarely fragments, there could > > be low limits. But for UDP (eg for NFS) which frequently fragments, > > there could be generous limits. > > > > So systems that only permit TCP and ICMP from non-trusted hosts could > > in an indirect way limit external attack, without eg hampering local UDP. > > I'd prefer either per-interface limits or a trusted/non-trusted per-interface > bit, if anything at all. Per-protocol limits would simply cause the > attackers to attack the other protocol. In truth, running NFS over UDP > with 65k packets over the Internet is suicidal anyway. > > -- > Barney Wolff http://www.databus.com/bwresume.pdf Per-protocol limits _could_ have some advantages; the 16 frags per packet limit was chosen to account for NFS over UDP. For TCP, we could drop that to 3 frags per packet, allowing more packets within the same amount of mbuf clusters. But, as you point out, that really won't make much of a difference overall. I think that per-interface or perhaps per-trusted hosts (trust hosts that we have had legitimate tcp sessions with?) would be a good improvement, but it's a lot of work. An improvement which I had considered last year when I implemented the per-packet frag limits was doing coalescing of fragments as they arrived, changing the limit from "fragments per packet" to "holes per packet". This would negate any attack which relied upon using the fact that even 8 byte fragments eat up an entire mbuf cluster. However, under a high bandwidth attack, this improvement would still not really help legitimate hosts get through, so I haven't spent time implementing it. Yeah, limits as you suggest are probably the only good way, IP fragmentation was implemented in a way that just encourages DoS attacks. Mike "Silby" Silbersack