From owner-freebsd-security  Tue Oct 22 18:29:33 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA20992
          for security-outgoing; Tue, 22 Oct 1996 18:29:33 -0700 (PDT)
Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA20984
          for <security@freebsd.org>; Tue, 22 Oct 1996 18:29:29 -0700 (PDT)
Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id SAA00424; Tue, 22 Oct 1996 18:29:24 -0700
Date: Tue, 22 Oct 1996 18:29:21 -0700 (PDT)
From: Steve Reid <steve@edmweb.com>
To: security@freebsd.org
Subject: [more bugtraq] Re: Suspicion about denial of service attacks possible on IP. (fwd)
Message-ID: <Pine.BSF.3.91.961022182608.412A-100000@bitbucket.edmweb.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Another from Bugtraq. Can anyone confirm or deny the last paragraph? 

For anyone who's interested, Bugtraq is archived at 
http://geek-girl.com/bugtraq/

---------- Forwarded message ----------
Date: Wed, 23 Oct 1996 07:45:57 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: Re: Suspicion about denial of service attacks possible on IP.

In some mail from Henrik P Johnson, sie said:
>
> I was idly reading through Internetworking with TCP/IP yesterday when it hit me
> what might be a possible denial of service attack on IP stacks. What would
> happen if a host was bombarded with faked fragments of large IP packages. Would
> the stack allocate more and more memory trying to reconstruct the packages or
> do they operate with a fixed/max size limit on memory allocated for IP
> defragmentation?

It is possible, but it requires a lot of packets.

Different boxes handle it differently too.

When I tried it against my SunOS4 box, it didn't crash, but X-Windows could
not be used after it ran out of mbufs.

There's a bug in how overlapping mbufs are freed in BSD code upto
4.4BSD-Lite/2 (I believe) - that or it never got merged with FreeBSD 2.1.5.
(Patch for this is included with IP Filter ;)  For FreeBSD, it seems that
the result is that it never frees the mbuf...

Darren