From owner-freebsd-net Mon Nov 11 22:21:28 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5285237B401 for ; Mon, 11 Nov 2002 22:21:27 -0800 (PST) Received: from out5.mx.nwbl.wi.voyager.net (out5.mx.nwbl.wi.voyager.net [169.207.3.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id C369243E42 for ; Mon, 11 Nov 2002 22:21:26 -0800 (PST) (envelope-from silby@silby.com) Received: from [10.1.1.6] (d81.as6.nwbl0.wi.voyager.net [169.207.128.81]) by out5.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id D42F2C6F58; Tue, 12 Nov 2002 00:21:24 -0600 (CST) Date: Tue, 12 Nov 2002 00:27:54 -0600 (CST) From: Mike Silbersack To: David Gilbert Cc: freebsd-net@freebsd.org Subject: Re: forwarded message on Source Quench Packets. In-Reply-To: <15824.4383.916763.477130@canoe.velocet.net> Message-ID: <20021112002616.I21273-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (redirected to -net so others can review this) I can see how these source quench messages would cause problems if a DoS is being routed through a FreeBSD router, and I think that your patch makes sense. Are there any objections to me committing this in a few days? Mike "Silby" Silbersack On Mon, 11 Nov 2002, David Gilbert wrote: > I normally wouldn't forward something to such a big list, but this has > real implications (and was part of a nast DOS against dsl.ca last > week). The patch for FreeBSD (netbsd code is quoted) is trivial: > > --- /sys/netinet/ip_input.c Thu Oct 17 08:29:53 2002 > +++ ip_input.c Mon Nov 11 15:15:31 2002 > @@ -1822,9 +1822,7 @@ > break; > > case ENOBUFS: > - type = ICMP_SOURCEQUENCH; > - code = 0; > - break; > + return; > > case EACCES: /* ipfw denied packet */ > m_freem(mcopy); > > I'm submitting a PR now. > > For discussion: source quenches probably shouldn't be generated > anyways, but this patch also doesn't generate the source quench if > we're the target machine. It's probably good to go straight ahead > with this. IIRC, tcp_input.c also can generate a source quench > ... > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message