Date: Sun, 20 Feb 2000 11:43:41 -0500 (EST) From: Omachonu Ogali <oogali@intranova.net> To: netdude@bc.sympatico.ca Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: kern/16828: High Speed Pinging Over 8184 bytes Kills Server Instantly Message-ID: <Pine.BSF.4.10.10002201137580.49727-200000@hydrant.intranova.net> In-Reply-To: <200002200401.UAA02923@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Attached unofficial patch to drop ICMP packets larger than 8184 bytes. E-Mail/Flame me if not liked... I wanted to be able to set the maximum value via sysctl but I'm not sure if I'll break anything, feel free to pick up from there. On Sat, 19 Feb 2000 netdude@bc.sympatico.ca wrote: > > >Number: 16828 > >Category: kern > >Synopsis: High Speed Pinging Over 8184 bytes Kills Server Instantly > >Confidential: no > >Severity: critical > >Priority: high > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sat Feb 19 20:10:01 PST 2000 > >Closed-Date: > >Last-Modified: > >Originator: Ahsanul Shajan Alam > >Release: 3.3-RELEASE > >Organization: > TheCoolHost.com, Inc. > >Environment: > FreeBSD big_server1.webdevstudio.com 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999 jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC i386 > >Description: > High speed pinging to anyone or from anyone on a local ethernet network with packet sizes over 8184 bytes will bring down the server, regardless of whether packets were being directed to it or another target which is online OR offline. Once pinging starts from any other machine, if local the BSD server will go down immediately, if from a remote source, it will go down in a few seconds. > > What makes this problem really bad is the fact that the target of the pings does not even have to be the server, it can be any on the ethernet segment... > >How-To-Repeat: > pick any LINUX box and do a: > > ping -fs 10000 <any IP on the local ethernet network> > > But note: if the ping packets are exactly 8184 bytes, the server will just respond back at them and "laugh", if larger (ideally 10000 bytes) the server will die immediately... > >Fix: > get upstream provider to disable ping packets from coming in, BUT that will NOT protect you if the source of the pings is on the same ethernet segment. Desparate to find a "cure" to this problem. Please email: netdude@bc.sympatico.ca or president@thecoolhost.com if you know of any solutions, or if anybody can send me exactly what I need to type in to disable pings via IPFW... hmm... Thanks for you time. > > >Release-Note: > >Audit-Trail: > >Unformatted: > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-bugs" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ [-- Attachment #2 --] --- ip_input.c.orig Sun Feb 20 11:31:44 2000 +++ ip_input.c Sun Feb 20 11:37:31 2000 @@ -348,6 +348,16 @@ NTOHS(ip->ip_off); /* + * Drop excessively large ICMP packets (> 8184 bytes) + * - oogali@intranova.net + */ + + if ((ip->ip_len > 8184) && (ip->ip_p == IPPROTO_ICMP)) { + ipstat.ips_toolong++; + goto bad; + } + + /* * Check that the amount of data in the buffers * is as at least much as the IP header would have us expect. * Trim mbufs if longer than we expect.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10002201137580.49727-200000>