Date: Wed, 10 Jan 2001 01:13:17 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Wes Peters <wes@softweyr.com> Cc: Don Lewis <Don.Lewis@tsc.tdk.com>, Umesh Krishnaswamy <umesh@juniper.net>, <freebsd-security@FreeBSD.ORG>, <freebsd-net@FreeBSD.ORG> Subject: Re: Spoofing multicast addresses Message-ID: <Pine.BSF.4.31.0101100102020.13616-100000@achilles.silby.com> In-Reply-To: <3A5C09BE.88B4A117@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 10 Jan 2001, Wes Peters wrote: > Don Lewis wrote: > > A good reason for putting these checks in their present location is > > that it gets them out of the main code path. Under normal circumstances, > > the vast majority of the incoming packets will be for established > > connections and it wasteful to do unnecessary checking on these packets. > > But that is exactly NOT the case when being attacked with a SYN flood > or something like that. Perhaps it would be advantageous to trip a flag > if we hit the bandwidth limiting rate and do the checks much earlier only > if we're under attack? I'm not sure that really matters. Since (nearly) any packet will undergo the pcb lookup, reducing the overhead of multicast packets wouldn't make much difference - attackers can just use non-multicast packets. Does anyone have an idea on what the performance impact of the multicast checks really is? Just having a single check at the top of the code would be nice from a readability standpoint. Speaking of stream, I wonder if proper multicast checks are done for icmp responses. Hrm. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0101100102020.13616-100000>