From owner-freebsd-hackers  Mon Apr 15 16:54:14 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.ncircle.com (mail.ncircle.com [209.140.253.150])
	by hub.freebsd.org (Postfix) with ESMTP id 1778837B41B
	for <hackers@freebsd.org>; Mon, 15 Apr 2002 16:54:04 -0700 (PDT)
Received: from localhost (bbuchanan@localhost)
	by mail.ncircle.com (8.11.3/8.11.6) with ESMTP id g3FNs2D77775
	for <hackers@freebsd.org>; Mon, 15 Apr 2002 16:54:03 -0700 (PDT)
	(envelope-from brian@ncircle.com)
X-Authentication-Warning: mail.ncircle.com: bbuchanan owned process doing -bs
Date: Mon, 15 Apr 2002 16:54:02 -0700 (PDT)
From: Brian Buchanan <brian@ncircle.com>
X-X-Sender:  <bbuchanan@mail.ncircle.com>
To: <hackers@freebsd.org>
Subject: Changes to IP fragment handling between 4.3 and 4-STABLE?
Message-ID: <20020415163318.N73608-100000@mail.ncircle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

4.3-RELEASE seems to be vulnerable to a network denial of service
condition when either IPF or IPFW is compiled into the kernel (or IPFW
loaded as a kernel module) and the host is sent a large volume of
fragmented packets.  At this point, the scope of my testing has been
limited to the packets generated by tfgen, a Windows traffic-generation
program which spews large, fragmented UDP packets.

4-STABLE does not seem to be affected by this condition when configured
with no firewall or with IPFW loaded as a kernel module.

In all cases, IPFW was tested with the single rule "1 allow ip from any
to any".

The denial of service condition observed is that while receiving
fragmented UDP packets at around 30Mbps on a 100Mbps interface, the
host's network responsiveness drops to just about zero.

So I suspect that 4.3-RELEASE has a bug either in both packet filters
or in the common code connecting the filters into the IP stack.

I'd like to know which is the case and in what files/revisions the bug was
fixed, but my search through freebsd-hackers and freebsd-commit didn't
turn up anything.  Perhaps someone with familiarity with the code in
question can give me a pointer.

Thanks,

Brian

---
Brian Buchanan <brian@ncircle.com>
Senior Software Engineer
nCircle Network Security, Inc.                        http://www.ncircle.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message