From owner-freebsd-current  Thu Dec  3 16:34:55 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA23476
          for freebsd-current-outgoing; Thu, 3 Dec 1998 16:34:55 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA23461
          for <freebsd-current@FreeBSD.ORG>; Thu, 3 Dec 1998 16:34:52 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.1/8.9.1) id QAA01418;
	Thu, 3 Dec 1998 16:34:32 -0800 (PST)
	(envelope-from dillon)
Date: Thu, 3 Dec 1998 16:34:32 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199812040034.QAA01418@apollo.backplane.com>
To: Stefan Bethke <stb@hanse.de>
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
        John Saunders <john.saunders@scitec.com.au>,
        freebsd-current@FreeBSD.ORG
Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM)
References:  <Pine.BSF.3.96.981202001055.26430A-100000@transit.hanse.de>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

:Just as a side-note:
:
:On Tue, 1 Dec 1998, Matthew Dillon wrote:
:
:> :We should rate-limit ARPs, but don't.
:> 
:>     ARP's reasonably rate-limited because most subnets are /24's, it's
:>     the packets queued up waiting for the ARP to resolve that are the
:...
:
:Actually, arp is already (somewhat) rate-limited.  Look in
:src/sys/netinet/if_ether.c:arpresolve(), around line 369:
:...
:The packet waiting for the address to resolve will be replaced by the next
:packet transmitted for this address.  Use ping -f and tcpdump to see for
:
:Theory suggests that there can be no more than one request per local IP
:...

    Ah, I see.  I was thinking of the ARP packets themselves but it makes
    to limit the queued packets waiting for ARP to any given destination IP.

    If you have a larger subnet, say a class B, an attacker can spoof 
    sufficient packets (which the machine then tries to reply to) to cover
    the entire class B... 65536 queued packets waiting for ARP, for example.

    But I consider this a minor problem, since most machines don't sit on
    insanely huge subnets.  It would be nice to fix, but not critical.

					-Matt

:Cheers,
:Stefan


    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message