From owner-freebsd-net  Mon Nov 11 22:21:28 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5285237B401
	for <freebsd-net@freebsd.org>; Mon, 11 Nov 2002 22:21:27 -0800 (PST)
Received: from out5.mx.nwbl.wi.voyager.net (out5.mx.nwbl.wi.voyager.net [169.207.3.123])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C369243E42
	for <freebsd-net@freebsd.org>; Mon, 11 Nov 2002 22:21:26 -0800 (PST)
	(envelope-from silby@silby.com)
Received: from [10.1.1.6] (d81.as6.nwbl0.wi.voyager.net [169.207.128.81])
	by out5.mx.nwbl.wi.voyager.net (Postfix) with ESMTP
	id D42F2C6F58; Tue, 12 Nov 2002 00:21:24 -0600 (CST)
Date: Tue, 12 Nov 2002 00:27:54 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: David Gilbert <dgilbert@velocet.ca>
Cc: freebsd-net@freebsd.org
Subject: Re: forwarded message on Source Quench Packets.
In-Reply-To: <15824.4383.916763.477130@canoe.velocet.net>
Message-ID: <20021112002616.I21273-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


(redirected to -net so others can review this)

I can see how these source quench messages would cause problems if a DoS
is being routed through a FreeBSD router, and I think that your patch
makes sense.  Are there any objections to me committing this in a few
days?

Mike "Silby" Silbersack

On Mon, 11 Nov 2002, David Gilbert wrote:

> I normally wouldn't forward something to such a big list, but this has
> real implications (and was part of a nast DOS against dsl.ca last
> week).  The patch for FreeBSD (netbsd code is quoted) is trivial:
>
> --- /sys/netinet/ip_input.c     Thu Oct 17 08:29:53 2002
> +++ ip_input.c  Mon Nov 11 15:15:31 2002
> @@ -1822,9 +1822,7 @@
>                 break;
>
>         case ENOBUFS:
> -               type = ICMP_SOURCEQUENCH;
> -               code = 0;
> -               break;
> +               return;
>
>         case EACCES:                    /* ipfw denied packet */
>                 m_freem(mcopy);
>
> I'm submitting a PR now.
>
> For discussion: source quenches probably shouldn't be generated
> anyways, but this patch also doesn't generate the source quench if
> we're the target machine.  It's probably good to go straight ahead
> with this.  IIRC, tcp_input.c also can generate a source quench
> ...
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message