From owner-freebsd-current  Thu Dec  3 14:54:39 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA08654
          for freebsd-current-outgoing; Thu, 3 Dec 1998 14:54:39 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from rrz.Hanse.DE (rrz.Hanse.DE [193.174.9.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA08646
          for <freebsd-current@FreeBSD.ORG>; Thu, 3 Dec 1998 14:54:34 -0800 (PST)
          (envelope-from stb@hanse.de)
Received: from hanse.de (uucp@localhost)
	by rrz.Hanse.DE (8.8.8/8.8.8) with UUCP id XAA22094;
	Thu, 3 Dec 1998 23:51:06 +0100 (CET)
	(envelope-from stb@hanse.de)
Received: from transit.hanse.de (transit.Hanse.DE [193.174.9.161])
	by daemon.Hanse.DE (8.8.8/8.8.8) with ESMTP id AAA01774;
	Wed, 2 Dec 1998 00:39:34 +0100 (CET)
	(envelope-from stb@hanse.de)
Received: from localhost (stb@localhost)
	by transit.hanse.de (8.8.8/8.8.8) with SMTP id AAA27436;
	Wed, 2 Dec 1998 00:37:47 +0100 (CET)
	(envelope-from stb@hanse.de)
X-Authentication-Warning: transit.hanse.de: stb owned process doing -bs
Date: Wed, 2 Dec 1998 00:37:47 +0100 (CET)
From: Stefan Bethke <stb@hanse.de>
To: Matthew Dillon <dillon@apollo.backplane.com>
cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
        John Saunders <john.saunders@scitec.com.au>,
        freebsd-current@FreeBSD.ORG
Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM)
In-Reply-To: <199812011647.IAA07545@apollo.backplane.com>
Message-ID: <Pine.BSF.3.96.981202001055.26430A-100000@transit.hanse.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Just as a side-note:

On Tue, 1 Dec 1998, Matthew Dillon wrote:

> :We should rate-limit ARPs, but don't.
> 
>     ARP's reasonably rate-limited because most subnets are /24's, it's
>     the packets queued up waiting for the ARP to resolve that are the
>     problem.

Actually, arp is already (somewhat) rate-limited.  Look in
src/sys/netinet/if_ether.c:arpresolve(), around line 369:
        /*
         * There is an arptab entry, but no ethernet address
         * response yet.  Replace the held mbuf with this   
         * latest one.
         */
        if (la->la_hold)
                m_freem(la->la_hold);

The packet waiting for the address to resolve will be replaced by the next
packet transmitted for this address.  Use ping -f and tcpdump to see for
yourself.

Theory suggests that there can be no more than one request per local IP
address per second, and, due to the limit of a maximum of 5 tries, even
less (net.link.ether.inet.{maxtries,host_down_time}).


Cheers,
Stefan

--
Stefan Bethke
Muehlendamm 12            Phone: +49-40-256848, +49-177-3504009
D-22087 Hamburg           <stefan.bethke@hanse.de>
Hamburg, Germany          <stb@freebsd.org>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message