Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 3 Dec 1998 16:34:32 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Stefan Bethke <stb@hanse.de>
Cc:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, John Saunders <john.saunders@scitec.com.au>, freebsd-current@FreeBSD.ORG
Subject:   Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM)
Message-ID:  <199812040034.QAA01418@apollo.backplane.com>
References:   <Pine.BSF.3.96.981202001055.26430A-100000@transit.hanse.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
:Just as a side-note:
:
:On Tue, 1 Dec 1998, Matthew Dillon wrote:
:
:> :We should rate-limit ARPs, but don't.
:> 
:>     ARP's reasonably rate-limited because most subnets are /24's, it's
:>     the packets queued up waiting for the ARP to resolve that are the
:...
:
:Actually, arp is already (somewhat) rate-limited.  Look in
:src/sys/netinet/if_ether.c:arpresolve(), around line 369:
:...
:The packet waiting for the address to resolve will be replaced by the next
:packet transmitted for this address.  Use ping -f and tcpdump to see for
:
:Theory suggests that there can be no more than one request per local IP
:...

    Ah, I see.  I was thinking of the ARP packets themselves but it makes
    to limit the queued packets waiting for ARP to any given destination IP.

    If you have a larger subnet, say a class B, an attacker can spoof 
    sufficient packets (which the machine then tries to reply to) to cover
    the entire class B... 65536 queued packets waiting for ARP, for example.

    But I consider this a minor problem, since most machines don't sit on
    insanely huge subnets.  It would be nice to fix, but not critical.

					-Matt

:Cheers,
:Stefan


    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812040034.QAA01418>