Date: Sun, 4 Apr 2004 16:18:05 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Barney Wolff <barney@databus.com> Cc: richard@wendland.org.uk Subject: Re: Fwd: [IPv4 fragmentation --> The Rose Attack] Message-ID: <20040404160909.D29958@odysseus.silby.com> In-Reply-To: <20040404195950.GA20607@pit.databus.com> References: <406B3CC0.C277B933@freebsd.org> <200404041938.UAA07933@starburst.demon.co.uk> <20040404195950.GA20607@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 4 Apr 2004, Barney Wolff wrote: > On Sun, Apr 04, 2004 at 08:38:31PM +0100, Richard Wendland wrote: > > > > It would be possible to improve matters somewhat by having per-protocol > > limits. So for TCP, which with MSS and DF rarely fragments, there could > > be low limits. But for UDP (eg for NFS) which frequently fragments, > > there could be generous limits. > > > > So systems that only permit TCP and ICMP from non-trusted hosts could > > in an indirect way limit external attack, without eg hampering local UDP. > > I'd prefer either per-interface limits or a trusted/non-trusted per-interface > bit, if anything at all. Per-protocol limits would simply cause the > attackers to attack the other protocol. In truth, running NFS over UDP > with 65k packets over the Internet is suicidal anyway. > > -- > Barney Wolff http://www.databus.com/bwresume.pdf Per-protocol limits _could_ have some advantages; the 16 frags per packet limit was chosen to account for NFS over UDP. For TCP, we could drop that to 3 frags per packet, allowing more packets within the same amount of mbuf clusters. But, as you point out, that really won't make much of a difference overall. I think that per-interface or perhaps per-trusted hosts (trust hosts that we have had legitimate tcp sessions with?) would be a good improvement, but it's a lot of work. <g> An improvement which I had considered last year when I implemented the per-packet frag limits was doing coalescing of fragments as they arrived, changing the limit from "fragments per packet" to "holes per packet". This would negate any attack which relied upon using the fact that even 8 byte fragments eat up an entire mbuf cluster. However, under a high bandwidth attack, this improvement would still not really help legitimate hosts get through, so I haven't spent time implementing it. Yeah, limits as you suggest are probably the only good way, IP fragmentation was implemented in a way that just encourages DoS attacks. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040404160909.D29958>