From owner-cvs-src Fri Feb 21 22:46:29 2003 Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A87B737B401; Fri, 21 Feb 2003 22:46:27 -0800 (PST) Received: from odysseus.silby.com (d19.as7.nwbl0.wi.voyager.net [169.207.128.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1C8143FA3; Fri, 21 Feb 2003 22:46:25 -0800 (PST) (envelope-from silby@silby.com) Received: from odysseus.silby.com (localhost [127.0.0.1]) by odysseus.silby.com (8.12.7/8.12.7) with ESMTP id h1M6hVJZ003099; Sat, 22 Feb 2003 00:43:31 -0600 (CST) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by odysseus.silby.com (8.12.7/8.12.7/Submit) with ESMTP id h1M6hUNL003096; Sat, 22 Feb 2003 00:43:31 -0600 (CST) X-Authentication-Warning: odysseus.silby.com: silby owned process doing -bs Date: Sat, 22 Feb 2003 00:43:29 -0600 (CST) From: Mike Silbersack To: Mike Silbersack Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_input.c ip_var.h In-Reply-To: <200302220641.h1M6flW1021245@repoman.freebsd.org> Message-ID: <20030222004132.C3092@odysseus.silby.com> References: <200302220641.h1M6flW1021245@repoman.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-src@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Note that this change *should* stop any IP frag DoS from bringing a system to its knees, but that opinion is only based on testing on my little LAN. If you see a successful attack in the wild, please send me tcpdumps of it so I can see what can be done. Mike "Silby" Silbersack On Fri, 21 Feb 2003, Mike Silbersack wrote: > silby 2003/02/21 22:41:47 PST > > Modified files: > sys/netinet ip_input.c ip_var.h > Log: > Add the ability to limit the number of IP fragments allowed per packet, > and enable it by default, with a limit of 16. > > At the same time, tweak maxfragpackets downward so that in the worst > possible case, IP reassembly can use only 1/2 of all mbuf clusters. > > MFC after: 3 days > Reviewed by: hsu > Liked by: bmah > > Revision Changes Path > 1.225 +28 -4 src/sys/netinet/ip_input.c > 1.71 +1 -0 src/sys/netinet/ip_var.h > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message