Date: Tue, 12 Nov 2002 00:27:54 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: David Gilbert <dgilbert@velocet.ca> Cc: freebsd-net@freebsd.org Subject: Re: forwarded message on Source Quench Packets. Message-ID: <20021112002616.I21273-100000@patrocles.silby.com> In-Reply-To: <15824.4383.916763.477130@canoe.velocet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
(redirected to -net so others can review this) I can see how these source quench messages would cause problems if a DoS is being routed through a FreeBSD router, and I think that your patch makes sense. Are there any objections to me committing this in a few days? Mike "Silby" Silbersack On Mon, 11 Nov 2002, David Gilbert wrote: > I normally wouldn't forward something to such a big list, but this has > real implications (and was part of a nast DOS against dsl.ca last > week). The patch for FreeBSD (netbsd code is quoted) is trivial: > > --- /sys/netinet/ip_input.c Thu Oct 17 08:29:53 2002 > +++ ip_input.c Mon Nov 11 15:15:31 2002 > @@ -1822,9 +1822,7 @@ > break; > > case ENOBUFS: > - type = ICMP_SOURCEQUENCH; > - code = 0; > - break; > + return; > > case EACCES: /* ipfw denied packet */ > m_freem(mcopy); > > I'm submitting a PR now. > > For discussion: source quenches probably shouldn't be generated > anyways, but this patch also doesn't generate the source quench if > we're the target machine. It's probably good to go straight ahead > with this. IIRC, tcp_input.c also can generate a source quench > ... > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021112002616.I21273-100000>