Date: Sat, 22 Jan 2000 00:15:48 -0700 From: Wes Peters <wes@softweyr.com> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Brett Glass <brett@lariat.org>, Warner Losh <imp@village.org>, Darren Reed <avalon@coombs.anu.edu.au>, security@freebsd.org Subject: Re: stream.c worst-case kernel paths Message-ID: <38895924.5C358388@softweyr.com> References: <200001210417.PAA24853@cairo.anu.edu.au> <200001210642.XAA09108@harmony.village.org> <4.2.2.20000121163937.01a51dc0@localhost> <200001220035.QAA65392@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Dillon wrote:
>
> I wouldn't worry about multicast addresses for several reasons. First, very
> few machines actually run a multicast router. No router, no problem. Second,
> multicast tunnels tend to be bandwidth limited anyway. Third, from the point
> of view of victimizing someone multicast isn't going to get you very far
> because we already check for a multicast destination. We don't really need
> to check for a multicast source because it's really no different from a
> victimizing point of view as a non-multicast source address.
In my testing this morning, I was running stream against a FreeBSD 3.4-R
machine with two interfaces, one on a private net and one one our main
LAN. When I hit it with stream using random addresses, it was generating
multicast addresses. The target machine began flooding the ACKs onto the
main LAN, even though net.inet.ip.forwarding = 0.
Who needs a multicast router? I brought 400 machines to their knees and
completely flooded a frac T-1 from what was supposed to be an *isolated*
test network.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38895924.5C358388>