From owner-freebsd-security Tue Jan 9 23:13:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 2A68837B401 for ; Tue, 9 Jan 2001 23:13:18 -0800 (PST) Received: (qmail 13712 invoked by uid 1000); 10 Jan 2001 07:13:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Jan 2001 07:13:17 -0000 Date: Wed, 10 Jan 2001 01:13:17 -0600 (CST) From: Mike Silbersack To: Wes Peters Cc: Don Lewis , Umesh Krishnaswamy , , Subject: Re: Spoofing multicast addresses In-Reply-To: <3A5C09BE.88B4A117@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Jan 2001, Wes Peters wrote: > Don Lewis wrote: > > A good reason for putting these checks in their present location is > > that it gets them out of the main code path. Under normal circumstances, > > the vast majority of the incoming packets will be for established > > connections and it wasteful to do unnecessary checking on these packets. > > But that is exactly NOT the case when being attacked with a SYN flood > or something like that. Perhaps it would be advantageous to trip a flag > if we hit the bandwidth limiting rate and do the checks much earlier only > if we're under attack? I'm not sure that really matters. Since (nearly) any packet will undergo the pcb lookup, reducing the overhead of multicast packets wouldn't make much difference - attackers can just use non-multicast packets. Does anyone have an idea on what the performance impact of the multicast checks really is? Just having a single check at the top of the code would be nice from a readability standpoint. Speaking of stream, I wonder if proper multicast checks are done for icmp responses. Hrm. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message