From owner-freebsd-security Mon Aug 6 15:55:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 988D537B405; Mon, 6 Aug 2001 15:55:15 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from eq.net (eq.net [208.186.104.163]) by ns1.infowest.com (Postfix) with SMTP id 22B422135B; Mon, 6 Aug 2001 16:55:09 -0600 (MDT) Content-Type: text/plain; charset="iso-8859-1" From: Aaron D.Gifford To: freebsd-mailing-lists@freebsd.org Subject: IP fragment DOS attack on FreeBSD question Date: Mon, 6 Aug 2001 16:55:08 -0600 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <01080616550800.31114@eq.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The recent FreeBSD advisory regarding IP fragment denial-of-service attacks didn't mention whether or not an IP filter (ipfw or ipf) that drops all fragments is an adequate temporary work-around or not. Does anyone who is familiar with the problem and attack know if something like the following would be a useful temporary work-around? ipfw add 1 deny ip from any to any fragment Does the above drop the fragment and prevent reassembly buffer starvation? Of course dropping ALL fragments like that will limit the connectivity of the host to hosts and networks where fragmentation occurs. But, if the above DOES prevent the DOS, it may be a useful tradeoff to use it as a temporary work-around until kernels are patched (kernels with ipfw already enabled). Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message