Date: Wed, 31 Mar 2004 18:09:09 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] Message-ID: <20040331180359.G4941@odysseus.silby.com> In-Reply-To: <406B3CC0.C277B933@freebsd.org> References: <20040331205406.GD16803@madman.celabo.org> <406B3CC0.C277B933@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 31 Mar 2004, Andre Oppermann wrote: > We have the following sysctl's to withstand such an attack: > > net.inet.ip.maxfragpackets [800] > net.inet.ip.maxfragsperpacket [16] > > Which limits such an attack to 800 packets overall and 16 fragments > per packet. > > Of course, when the maxfragpackets limit is reached by malicous > packets we are unable to process legitimate fragmented IP packets > until the malicous ones start to time out. There is nothing else > one can do to fight off such an attack. > > -- > Andre Actually, once the limit is reached, packets are forced out in FIFO order. However, if the attack is continuous and of a high data rate, then it is possible that legitimate packets will be forced out of the queue before they can be fully reassembled. NetBSD has adopted a slightly different approach to the problem, they track the total number of fragments, then do a random purge of reassembly queues whenever the fragment count hits a certain threshold. I suspect that under a high bandwidth fragmentation attack, both approaches would be overwhelmed. I'm not sure what's really new about this "Rose Attack", it shouldn't affect 4.8+ FreeBSD machines much at all. I'm actually puzzled that his attack does anything at all, you can eat up a lot more memory using fragrouter and some creative ipfw rules. :) Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040331180359.G4941>