From owner-cvs-all Sun Jun 3 16:33:34 2001 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4798837B403; Sun, 3 Jun 2001 16:33:31 -0700 (PDT) (envelope-from jesper@FreeBSD.org) Received: (from jesper@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f53NXVm94650; Sun, 3 Jun 2001 16:33:31 -0700 (PDT) (envelope-from jesper) Message-Id: <200106032333.f53NXVm94650@freefall.freebsd.org> From: Jesper Skriver Date: Sun, 3 Jun 2001 16:33:30 -0700 (PDT) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_input.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG jesper 2001/06/03 16:33:30 PDT Modified files: sys/netinet ip_input.c Log: Prevent denial of service using bogus fragmented IPv4 packets. A attacker sending a lot of bogus fragmented packets to the target (with different IPv4 identification field - ip_id), may be able to put the target machine into mbuf starvation state. By setting a upper limit on the number of reassembly queues we prevent this situation. This upper limit is controlled by the new sysctl net.inet.ip.maxfragpackets which defaults to 200, as the IPv6 case, this should be sufficient for most systmes, but you might want to increase it if you have lots of TCP sessions. I'm working on making the default value dependent on nmbclusters. If you want old behaviour (no upper limit) set this sysctl to a negative value. If you don't want to accept any fragments (not recommended) set the sysctl to 0 (zero). Obtained from: NetBSD MFC after: 1 week Revision Changes Path 1.169 +32 -1 src/sys/netinet/ip_input.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message