From owner-freebsd-current Thu Dec 3 16:34:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA23476 for freebsd-current-outgoing; Thu, 3 Dec 1998 16:34:55 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA23461 for ; Thu, 3 Dec 1998 16:34:52 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.1/8.9.1) id QAA01418; Thu, 3 Dec 1998 16:34:32 -0800 (PST) (envelope-from dillon) Date: Thu, 3 Dec 1998 16:34:32 -0800 (PST) From: Matthew Dillon Message-Id: <199812040034.QAA01418@apollo.backplane.com> To: Stefan Bethke Cc: Garrett Wollman , John Saunders , freebsd-current@FreeBSD.ORG Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM) References: Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :Just as a side-note: : :On Tue, 1 Dec 1998, Matthew Dillon wrote: : :> :We should rate-limit ARPs, but don't. :> :> ARP's reasonably rate-limited because most subnets are /24's, it's :> the packets queued up waiting for the ARP to resolve that are the :... : :Actually, arp is already (somewhat) rate-limited. Look in :src/sys/netinet/if_ether.c:arpresolve(), around line 369: :... :The packet waiting for the address to resolve will be replaced by the next :packet transmitted for this address. Use ping -f and tcpdump to see for : :Theory suggests that there can be no more than one request per local IP :... Ah, I see. I was thinking of the ARP packets themselves but it makes to limit the queued packets waiting for ARP to any given destination IP. If you have a larger subnet, say a class B, an attacker can spoof sufficient packets (which the machine then tries to reply to) to cover the entire class B... 65536 queued packets waiting for ARP, for example. But I consider this a minor problem, since most machines don't sit on insanely huge subnets. It would be nice to fix, but not critical. -Matt :Cheers, :Stefan Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet Communications & God knows what else. (Please include original email in any response) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message