From owner-freebsd-net Mon Apr 24 12:38:40 2000 Delivered-To: freebsd-net@freebsd.org Received: from falla.videotron.net (falla.videotron.net [205.151.222.106]) by hub.freebsd.org (Postfix) with ESMTP id A900737BBAB for ; Mon, 24 Apr 2000 12:38:37 -0700 (PDT) (envelope-from bmilekic@dsuper.net) Received: from modemcable009.62-201-24.mtl.mc.videotron.net ([24.201.62.9]) by falla.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0FTJ009OSD31A2@falla.videotron.net> for freebsd-net@FreeBSD.ORG; Mon, 24 Apr 2000 15:35:26 -0400 (EDT) Date: Mon, 24 Apr 2000 15:36:22 -0400 (EDT) From: Bosko Milekic Subject: Re: netkill - generic remote DoS attack In-reply-to: <200004241710.NAA44530@tuzik.lz.att.com> X-Sender: bmilekic@jehovah.technokratis.com To: stanislav shalunov Cc: freebsd-net@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Apr 2000, stanislav shalunov wrote: > (a) stop accepting new connections until old ones time out; > (b) free some mbuf memory forcibly. > > To do (b) properly, we can't just throw away pieces of send queues. > We must tear down some connections and send an RST to the remote end > and return ENOBUFS to the application, if any, using them locally. > > The solution (a) removes the obvious bug (system panics), but doesn't > solve the problem. It appears that some variation of (b) must be > deployed. > Well, with regards to (b) -- somewhat -- I have been thinking about a solution for `local' processes swallowing up sockbuf space and, consequently, mbufs. I'm sure you can think of something else to append to that and have similiar behavior for remote attacks. I've had little time to continue working on this right now, mainly due to lack of interest (apart from a few people who offered comments, notably Eivind Eklund) and also, of course, upcoming finals. I'm very willing to continue the work once this is all over, which will hopefully be in approximately 3 weeks. In the meantime, feel free to look it over yourself, since you've obviously gotten the point: http://pages.infinit.net/bmilekic/sockclnd/index.html -Bosko -- Bosko Milekic * pages.infinit.net/bmilekic/index.html * www.technokratis.com bmilekic@dsuper.net * bmilekic@technokratis.com * b.milekic@marianopolis.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message