From owner-freebsd-net@FreeBSD.ORG Wed Mar 31 16:09:12 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E9BE16A4CF for ; Wed, 31 Mar 2004 16:09:12 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id DCF1443D39 for ; Wed, 31 Mar 2004 16:09:11 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 64702 invoked from network); 1 Apr 2004 00:09:10 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 1 Apr 2004 00:09:10 -0000 X-pair-Authenticated: 209.68.2.70 Date: Wed, 31 Mar 2004 18:09:09 -0600 (CST) From: Mike Silbersack To: Andre Oppermann In-Reply-To: <406B3CC0.C277B933@freebsd.org> Message-ID: <20040331180359.G4941@odysseus.silby.com> References: <20040331205406.GD16803@madman.celabo.org> <406B3CC0.C277B933@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "Jacques A. Vidrine" cc: freebsd-net@freebsd.org Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Apr 2004 00:09:12 -0000 On Wed, 31 Mar 2004, Andre Oppermann wrote: > We have the following sysctl's to withstand such an attack: > > net.inet.ip.maxfragpackets [800] > net.inet.ip.maxfragsperpacket [16] > > Which limits such an attack to 800 packets overall and 16 fragments > per packet. > > Of course, when the maxfragpackets limit is reached by malicous > packets we are unable to process legitimate fragmented IP packets > until the malicous ones start to time out. There is nothing else > one can do to fight off such an attack. > > -- > Andre Actually, once the limit is reached, packets are forced out in FIFO order. However, if the attack is continuous and of a high data rate, then it is possible that legitimate packets will be forced out of the queue before they can be fully reassembled. NetBSD has adopted a slightly different approach to the problem, they track the total number of fragments, then do a random purge of reassembly queues whenever the fragment count hits a certain threshold. I suspect that under a high bandwidth fragmentation attack, both approaches would be overwhelmed. I'm not sure what's really new about this "Rose Attack", it shouldn't affect 4.8+ FreeBSD machines much at all. I'm actually puzzled that his attack does anything at all, you can eat up a lot more memory using fragrouter and some creative ipfw rules. :) Mike "Silby" Silbersack