Date: Fri, 4 Dec 1998 03:02:06 +0100 (CET) From: Stefan Bethke <stb@hanse.de> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, John Saunders <john.saunders@scitec.com.au>, freebsd-current@FreeBSD.ORG Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM) Message-ID: <Pine.BSF.3.96.981204025954.3839N-100000@transit.hanse.de> In-Reply-To: <199812040034.QAA01418@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 3 Dec 1998, Matthew Dillon wrote: > :Just as a side-note: > : > :On Tue, 1 Dec 1998, Matthew Dillon wrote: > : > :> :We should rate-limit ARPs, but don't. > :> > :> ARP's reasonably rate-limited because most subnets are /24's, it's > :> the packets queued up waiting for the ARP to resolve that are the > :... > : > :Actually, arp is already (somewhat) rate-limited. > > Ah, I see. I was thinking of the ARP packets themselves but it makes > to limit the queued packets waiting for ARP to any given destination IP. > > If you have a larger subnet, say a class B, an attacker can spoof > sufficient packets (which the machine then tries to reply to) to cover > the entire class B... 65536 queued packets waiting for ARP, for example. Only if you have a large number of unused addresses; for the used ones, a reply will be received, and subsequently, much less arps will be done. Stefan -- Stefan Bethke Muehlendamm 12 Phone: +49-40-256848, +49-177-3504009 D-22087 Hamburg <stefan.bethke@hanse.de> Hamburg, Germany <stb@freebsd.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981204025954.3839N-100000>