* Possible ip_defrag DoS ?
[not found] ` <3E4F8660.5020409@trash.net>
@ 2003-02-16 20:11 ` Harald Welte
2003-02-16 20:26 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Harald Welte @ 2003-02-16 20:11 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Don Cohen, netfilter-devel, netdev
[-- Attachment #1: Type: text/plain, Size: 1023 bytes --]
On Sun, Feb 16, 2003 at 01:38:56PM +0100, Patrick McHardy wrote:
> inerestingly, it seems linux defragmentation is vulnerable to dos attack.
> the evictor (called before defragmentation) just kills the oldest entry
> of each hash slot, starting with 0 until memory is below
> sysctl_ipfrag_low_thresh. by sending enough fragments
> (>sysctl_ipfrag_high_thresh) which hash to the highest bucket you can
> stop reassembly of valid packets.
I'm forwarding this (from netfilter-devel) to the linux networking
developers at netdev@oss.sgi.com. If your assumption is valid, they
might want to have a look at this...
thanks.
> Patrick
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Possible ip_defrag DoS ?
2003-02-16 20:11 ` Possible ip_defrag DoS ? Harald Welte
@ 2003-02-16 20:26 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2003-02-16 20:26 UTC (permalink / raw)
To: Harald Welte; +Cc: Don Cohen, netfilter-devel, netdev
Harald Welte wrote:
>On Sun, Feb 16, 2003 at 01:38:56PM +0100, Patrick McHardy wrote:
>
>
>
>>inerestingly, it seems linux defragmentation is vulnerable to dos attack.
>>the evictor (called before defragmentation) just kills the oldest entry
>>of each hash slot, starting with 0 until memory is below
>>sysctl_ipfrag_low_thresh. by sending enough fragments
>>(>sysctl_ipfrag_high_thresh) which hash to the highest bucket you can
>>stop reassembly of valid packets.
>>
>>
>
>I'm forwarding this (from netfilter-devel) to the linux networking
>developers at netdev@oss.sgi.com. If your assumption is valid, they
>might want to have a look at this...
>
>thanks.
>
>
>
>
Hi Harald, it seems this was not (entirely) correct, the evictor only
kills the last
member of each hash slot and then moves on. still, assuming the hash
function is good
there is a good chance we can disturb reassembly noticeable.
Patrick
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-02-16 20:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20030215232635.25928.78900.Mailman@kashyyyk>
[not found] ` <15950.60635.389199.836425@isis.cs3-inc.com>
[not found] ` <3E4F0881.70302@trash.net>
[not found] ` <15951.10496.914173.716313@isis.cs3-inc.com>
[not found] ` <3E4F8660.5020409@trash.net>
2003-02-16 20:11 ` Possible ip_defrag DoS ? Harald Welte
2003-02-16 20:26 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).