Date: Tue, 12 Nov 2002 12:55:58 +0300 (MSK) From: Maxim Konovalov <maxim@macomnet.ru> To: Mike Silbersack <silby@silby.com> Cc: David Gilbert <dgilbert@velocet.ca>, <freebsd-net@FreeBSD.ORG> Subject: Re: forwarded message on Source Quench Packets. Message-ID: <20021112125358.B92456-100000@news1.macomnet.ru> In-Reply-To: <20021112002616.I21273-100000@patrocles.silby.com> References: <20021112002616.I21273-100000@patrocles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09:27+0300, Nov 12, 2002, Mike Silbersack wrote: > > (redirected to -net so others can review this) > > I can see how these source quench messages would cause problems if a DoS > is being routed through a FreeBSD router, and I think that your patch > makes sense. Are there any objections to me committing this in a few > days? Shouldn't we call m_freem(mcopy) before return? Here is an updated diff, a comment was stolen from NetBSD. Index: sys/netinet/ip_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.215 diff -u -r1.215 ip_input.c --- sys/netinet/ip_input.c 20 Oct 2002 22:52:06 -0000 1.215 +++ sys/netinet/ip_input.c 12 Nov 2002 09:51:48 -0000 @@ -1970,9 +1970,14 @@ break; case ENOBUFS: - type = ICMP_SOURCEQUENCH; - code = 0; - break; + /* + * A router should not generate ICMP_SOURCEQUENCH as + * required in RFC1812 Requirements for IP Version 4 Routers. + * Source quench could be a big problem under DoS attacks, + * or if the underlying interface is rate-limited. + */ + m_freem(mcopy); + return; case EACCES: /* ipfw denied packet */ m_freem(mcopy); %%% > Mike "Silby" Silbersack > > On Mon, 11 Nov 2002, David Gilbert wrote: > > > I normally wouldn't forward something to such a big list, but this has > > real implications (and was part of a nast DOS against dsl.ca last > > week). The patch for FreeBSD (netbsd code is quoted) is trivial: > > > > --- /sys/netinet/ip_input.c Thu Oct 17 08:29:53 2002 > > +++ ip_input.c Mon Nov 11 15:15:31 2002 > > @@ -1822,9 +1822,7 @@ > > break; > > > > case ENOBUFS: > > - type = ICMP_SOURCEQUENCH; > > - code = 0; > > - break; > > + return; > > > > case EACCES: /* ipfw denied packet */ > > m_freem(mcopy); > > > > I'm submitting a PR now. > > > > For discussion: source quenches probably shouldn't be generated > > anyways, but this patch also doesn't generate the source quench if > > we're the target machine. It's probably good to go straight ahead > > with this. IIRC, tcp_input.c also can generate a source quench > > ... > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > -- Maxim Konovalov, MAcomnet, Internet Dept., system engineer phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021112125358.B92456-100000>