Date: Mon, 15 Apr 2002 16:54:02 -0700 (PDT) From: Brian Buchanan <brian@ncircle.com> To: <hackers@freebsd.org> Subject: Changes to IP fragment handling between 4.3 and 4-STABLE? Message-ID: <20020415163318.N73608-100000@mail.ncircle.com>
next in thread | raw e-mail | index | archive | help
4.3-RELEASE seems to be vulnerable to a network denial of service condition when either IPF or IPFW is compiled into the kernel (or IPFW loaded as a kernel module) and the host is sent a large volume of fragmented packets. At this point, the scope of my testing has been limited to the packets generated by tfgen, a Windows traffic-generation program which spews large, fragmented UDP packets. 4-STABLE does not seem to be affected by this condition when configured with no firewall or with IPFW loaded as a kernel module. In all cases, IPFW was tested with the single rule "1 allow ip from any to any". The denial of service condition observed is that while receiving fragmented UDP packets at around 30Mbps on a 100Mbps interface, the host's network responsiveness drops to just about zero. So I suspect that 4.3-RELEASE has a bug either in both packet filters or in the common code connecting the filters into the IP stack. I'd like to know which is the case and in what files/revisions the bug was fixed, but my search through freebsd-hackers and freebsd-commit didn't turn up anything. Perhaps someone with familiarity with the code in question can give me a pointer. Thanks, Brian --- Brian Buchanan <brian@ncircle.com> Senior Software Engineer nCircle Network Security, Inc. http://www.ncircle.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020415163318.N73608-100000>