Date: Sat, 22 Feb 2003 00:43:29 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Mike Silbersack <silby@FreeBSD.org> Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_input.c ip_var.h Message-ID: <20030222004132.C3092@odysseus.silby.com> In-Reply-To: <200302220641.h1M6flW1021245@repoman.freebsd.org> References: <200302220641.h1M6flW1021245@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Note that this change *should* stop any IP frag DoS from bringing a system to its knees, but that opinion is only based on testing on my little LAN. If you see a successful attack in the wild, please send me tcpdumps of it so I can see what can be done. Mike "Silby" Silbersack On Fri, 21 Feb 2003, Mike Silbersack wrote: > silby 2003/02/21 22:41:47 PST > > Modified files: > sys/netinet ip_input.c ip_var.h > Log: > Add the ability to limit the number of IP fragments allowed per packet, > and enable it by default, with a limit of 16. > > At the same time, tweak maxfragpackets downward so that in the worst > possible case, IP reassembly can use only 1/2 of all mbuf clusters. > > MFC after: 3 days > Reviewed by: hsu > Liked by: bmah > > Revision Changes Path > 1.225 +28 -4 src/sys/netinet/ip_input.c > 1.71 +1 -0 src/sys/netinet/ip_var.h > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030222004132.C3092>