Design intent of IP fragment cache limit?

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Tony Zhang <blahhun@yahoo.com>
To: netdev@vger.kernel.org
Subject: Design intent of IP fragment cache limit?
Date: Wed, 27 Jun 2007 13:01:12 -0700 (PDT)	[thread overview]
Message-ID: <126403.86015.qm@web34604.mail.mud.yahoo.com> (raw)

Hi,

I am investigating an IP fragmentation flood DOS
attack scenario where the attacker sends a string of
fragmented IP packets to exhaust the victim's fragment
cache. I've checked the IP fragment reassembly
implemention on several UNIX-like OSs. NetBSD/FreeBSD
don't handle such scenario. I was hoping Linux would
upon seeing the two cache limit syctrls. But after
looking deeper into the code, I doubt it addresses
that threat either. 

So out of curiosity, I was wondering if anyone knows
the design rationale behind the high/low cache limit
for IP fragments (e.g. sysctl_ipfrag_high(low)_thresh
in ip_defrag(), ip_fragment.c). What attack scenario
does these two sysctrls address?

Thanks,
Tony

FYI:

Detailed possible attack scenario:

A BGP router is unable to detect the PMTU with its
peer (e.g. ICMP is turned off in the intermediate
router at which the MTU decreases) and thus all
packets get fragmented. If there is an attack on its
peer that exhausts its fragment buffer space, the BGP
peering cannot be established and therefore the AS
becomes completely cut off.

____________________________________________________________________________________Ready for the edge of your seat? 
Check out tonight's top picks on Yahoo! TV. 
http://tv.yahoo.com/

                 reply	other threads:[~2007-06-27 20:07 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=126403.86015.qm@web34604.mail.mud.yahoo.com \
    --to=blahhun@yahoo.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).