From owner-freebsd-net Tue Nov 12 1:56: 8 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B175537B401 for ; Tue, 12 Nov 2002 01:56:05 -0800 (PST) Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68B2943E77 for ; Tue, 12 Nov 2002 01:56:04 -0800 (PST) (envelope-from maxim@macomnet.ru) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.6/8.11.6) with ESMTP id gAC9twH3564860; Tue, 12 Nov 2002 12:55:59 +0300 (MSK) Date: Tue, 12 Nov 2002 12:55:58 +0300 (MSK) From: Maxim Konovalov To: Mike Silbersack Cc: David Gilbert , Subject: Re: forwarded message on Source Quench Packets. In-Reply-To: <20021112002616.I21273-100000@patrocles.silby.com> Message-ID: <20021112125358.B92456-100000@news1.macomnet.ru> References: <20021112002616.I21273-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 09:27+0300, Nov 12, 2002, Mike Silbersack wrote: > > (redirected to -net so others can review this) > > I can see how these source quench messages would cause problems if a DoS > is being routed through a FreeBSD router, and I think that your patch > makes sense. Are there any objections to me committing this in a few > days? Shouldn't we call m_freem(mcopy) before return? Here is an updated diff, a comment was stolen from NetBSD. Index: sys/netinet/ip_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.215 diff -u -r1.215 ip_input.c --- sys/netinet/ip_input.c 20 Oct 2002 22:52:06 -0000 1.215 +++ sys/netinet/ip_input.c 12 Nov 2002 09:51:48 -0000 @@ -1970,9 +1970,14 @@ break; case ENOBUFS: - type = ICMP_SOURCEQUENCH; - code = 0; - break; + /* + * A router should not generate ICMP_SOURCEQUENCH as + * required in RFC1812 Requirements for IP Version 4 Routers. + * Source quench could be a big problem under DoS attacks, + * or if the underlying interface is rate-limited. + */ + m_freem(mcopy); + return; case EACCES: /* ipfw denied packet */ m_freem(mcopy); %%% > Mike "Silby" Silbersack > > On Mon, 11 Nov 2002, David Gilbert wrote: > > > I normally wouldn't forward something to such a big list, but this has > > real implications (and was part of a nast DOS against dsl.ca last > > week). The patch for FreeBSD (netbsd code is quoted) is trivial: > > > > --- /sys/netinet/ip_input.c Thu Oct 17 08:29:53 2002 > > +++ ip_input.c Mon Nov 11 15:15:31 2002 > > @@ -1822,9 +1822,7 @@ > > break; > > > > case ENOBUFS: > > - type = ICMP_SOURCEQUENCH; > > - code = 0; > > - break; > > + return; > > > > case EACCES: /* ipfw denied packet */ > > m_freem(mcopy); > > > > I'm submitting a PR now. > > > > For discussion: source quenches probably shouldn't be generated > > anyways, but this patch also doesn't generate the source quench if > > we're the target machine. It's probably good to go straight ahead > > with this. IIRC, tcp_input.c also can generate a source quench > > ... > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > -- Maxim Konovalov, MAcomnet, Internet Dept., system engineer phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message