From owner-freebsd-security  Fri Jan 21 15:22:58 2000
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id 349CA15711
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 15:22:52 -0800 (PST)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost.freebsd.dk [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id AAA07194;
	Sat, 22 Jan 2000 00:22:11 +0100 (CET)
	(envelope-from phk@critter.freebsd.dk)
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: Alfred Perlstein <bright@wintelcom.net>,
	Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: stream.c worst-case kernel paths 
In-reply-to: Your message of "Fri, 21 Jan 2000 15:11:06 PST."
             <200001212311.PAA64559@apollo.backplane.com> 
Date: Sat, 22 Jan 2000 00:22:11 +0100
Message-ID: <7192.948496931@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <200001212311.PAA64559@apollo.backplane.com>, Matthew Dillon writes:

>    No, this is far too dangerous.  If a packet is bad due to being
>    corrupted then you want to throw it away (via the checksum check)
>    *BEFORE* you start messing around with the socket state.  Otherwise
>    a perfectly legitimate packet that got corrupted in transit may
>    cause a disconnect or other failure.

It makes a lot of sense to do cheap (relative to the checksum)
checks on the packet before we do the checksum, as long as we
don't modify any state before the checksum is validated.

If it is cheaper to try to locate the pcb, than to calculate the
checksum, the locate the pcb first and drop the packet before
doing the checksum.

People who have run batch systems will tell you that you run the
shortest job first because it improves your average service time
a lot.  We're trying to do the same thing here.  The general
fix for this entire class of DoS attacks is therefore the same
thing:  Toss out the packet as soon as possible, and as cheaply
as possible.

That doesn't mean that we wont also need some kind of rate-limiting
in the output (RST) path to survive.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message