Date: Mon, 6 Aug 2001 02:20:58 -0700 (PDT) From: Jesper Skriver <jesper@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_input.c Message-ID: <200108060920.f769Kwg69530@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
jesper 2001/08/06 02:20:58 PDT
Modified files: (Branch: RELENG_3)
sys/netinet ip_input.c
Log:
MFS
src/sys/netinet/ip_input.c rev 1.130.2.22
src/sys/netinet6/frag6.c rev 1.2.2.4
src/sys/netinet6/in6_proto.c rev 1.6.2.4
Prevent denial of service using bogus fragmented IPv4 packets.
A attacker sending a lot of bogus fragmented packets to the target
(with different IPv4 identification field - ip_id), may be able
to put the target machine into mbuf starvation state.
By setting a upper limit on the number of reassembly queues we
prevent this situation.
This upper limit is controlled by the new sysctl
net.inet.ip.maxfragpackets which defaults to nmbclusters/4
If you want old behaviour (no upper limit) set this sysctl
to a negative value.
If you don't want to accept any fragments (not recommended)
set the sysctl to 0 (zero)
Obtained from: NetBSD (partially)
Revision Changes Path
1.111.2.10 +34 -2 src/sys/netinet/ip_input.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108060920.f769Kwg69530>