Date: Mon, 1 Mar 2004 11:42:47 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: freebsd-security@freebsd.org Subject: Re: mbuf vulnerability Message-ID: <20040301113726.T17968@odysseus.silby.com> In-Reply-To: <20040301103615.GB97298@starjuice.net> References: <6.0.3.0.0.20040229182702.07a67a68@209.112.4.2> <20040301103615.GB97298@starjuice.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Mar 2004, Sheldon Hearn wrote: > On (2004/02/29 19:03), Mike Silbersack wrote: > > > There is no way to fix this issue without kernel modifications. A fix has > > been committed to -current, someone on the security team can probably > > provide information on when the MFC will be appearing. > > Owch. > > The advisory says the DoS works by sending many out-of-sequence packets. > > Do you know how out-of-sequence do the packets have to be? I ask > because if they have to be significantly staggered, then my IPFilter > firewall might offer me some protection and I can start breathing again. > > Ciao, > Sheldon. A specially constructed stateful firewall could be constructed to deal with this DoS, but I'm certain that there's no way you could use ipf or anything preexisting to do the job. The main reason the DoS works is not because it is sending awkward packets, but rather because we use one mbuf cluster for each segment received. Since the smallest possible segment is one byte, and a mbuf cluster is 2048 bytes, that's a pretty nasty multiplicative factor. Would anyone feel better if I mention that it's generally pretty easy to DoS a box anyway? Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040301113726.T17968>