Date: Sat, 07 May 2005 09:17:33 -0500 From: Gandalf The White <gandalf@digital.net> To: Mike Silbersack <silby@silby.com> Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD and the Rose Attack / NewDawn Message-ID: <BEA2382D.1B2B2%gandalf@digital.net> In-Reply-To: <20050506185301.B6374@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings and Salutations: On 5/6/05 6:56 PM, "Mike Silbersack" <silby@silby.com> wrote: > I'll take a look at it while I'm at BSDCan next week. From your website's > description of the attack, I don't see why FreeBSD would be affected so > greatly... we must be wasting a lot of time traversing linked lists / etc. > Mike "Silby" Silbersack I realize that Mac OS/X has probably deviated significantly from its FreeBSD roots, but OS/X also showed the same issues until Apple fixed the problem. Take a look at the Linux implementation, they did a pretty good job. It consists of something like: 0) Store the size of packet in a variable 1) Add up the number of bytes the fragments received and continue to store / accept fragments until ... 2) You get the final fragment. If you have enough bytes to look like you have the entire packet then send the fragment off for reassembly, otherwise keep accepting fragments until you get enough fragments for the whole packet. The only problem I see with this is that if you have some kind of weird routing issue where you a router or switch is duplicating fragments then the fragmented packet may not get through unless all of the intermediate fragments arrive before the final fragment. Of course we won't mention some kind of injection / spoofing attack where someone send spoofed fragmented packets to screw up the real data ... Ken --------------------------------------------------------------- Do not meddle in the affairs of wizards for they are subtle and quick to anger. Ken Hollis - Gandalf The White - gandalf@digital.net - O- TINLC WWW Page - http://digital.net/~gandalf/ Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BEA2382D.1B2B2%gandalf>