Date: Mon, 6 Aug 2001 16:55:08 -0600 From: Aaron D.Gifford <agifford@infowest.com> To: freebsd-mailing-lists@freebsd.org Subject: IP fragment DOS attack on FreeBSD question Message-ID: <01080616550800.31114@eq.net>
next in thread | raw e-mail | index | archive | help
The recent FreeBSD advisory regarding IP fragment denial-of-service attacks didn't mention whether or not an IP filter (ipfw or ipf) that drops all fragments is an adequate temporary work-around or not. Does anyone who is familiar with the problem and attack know if something like the following would be a useful temporary work-around? ipfw add 1 deny ip from any to any fragment Does the above drop the fragment and prevent reassembly buffer starvation? Of course dropping ALL fragments like that will limit the connectivity of the host to hosts and networks where fragmentation occurs. But, if the above DOES prevent the DOS, it may be a useful tradeoff to use it as a temporary work-around until kernels are patched (kernels with ipfw already enabled). Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01080616550800.31114>