* Possible ip_defrag DoS ? [not found] ` <3E4F8660.5020409@trash.net> @ 2003-02-16 20:11 ` Harald Welte 2003-02-16 20:26 ` Patrick McHardy 0 siblings, 1 reply; 2+ messages in thread From: Harald Welte @ 2003-02-16 20:11 UTC (permalink / raw) To: Patrick McHardy; +Cc: Don Cohen, netfilter-devel, netdev [-- Attachment #1: Type: text/plain, Size: 1023 bytes --] On Sun, Feb 16, 2003 at 01:38:56PM +0100, Patrick McHardy wrote: > inerestingly, it seems linux defragmentation is vulnerable to dos attack. > the evictor (called before defragmentation) just kills the oldest entry > of each hash slot, starting with 0 until memory is below > sysctl_ipfrag_low_thresh. by sending enough fragments > (>sysctl_ipfrag_high_thresh) which hash to the highest bucket you can > stop reassembly of valid packets. I'm forwarding this (from netfilter-devel) to the linux networking developers at netdev@oss.sgi.com. If your assumption is valid, they might want to have a look at this... thanks. > Patrick -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Possible ip_defrag DoS ? 2003-02-16 20:11 ` Possible ip_defrag DoS ? Harald Welte @ 2003-02-16 20:26 ` Patrick McHardy 0 siblings, 0 replies; 2+ messages in thread From: Patrick McHardy @ 2003-02-16 20:26 UTC (permalink / raw) To: Harald Welte; +Cc: Don Cohen, netfilter-devel, netdev Harald Welte wrote: >On Sun, Feb 16, 2003 at 01:38:56PM +0100, Patrick McHardy wrote: > > > >>inerestingly, it seems linux defragmentation is vulnerable to dos attack. >>the evictor (called before defragmentation) just kills the oldest entry >>of each hash slot, starting with 0 until memory is below >>sysctl_ipfrag_low_thresh. by sending enough fragments >>(>sysctl_ipfrag_high_thresh) which hash to the highest bucket you can >>stop reassembly of valid packets. >> >> > >I'm forwarding this (from netfilter-devel) to the linux networking >developers at netdev@oss.sgi.com. If your assumption is valid, they >might want to have a look at this... > >thanks. > > > > Hi Harald, it seems this was not (entirely) correct, the evictor only kills the last member of each hash slot and then moves on. still, assuming the hash function is good there is a good chance we can disturb reassembly noticeable. Patrick ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-02-16 20:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20030215232635.25928.78900.Mailman@kashyyyk>
[not found] ` <15950.60635.389199.836425@isis.cs3-inc.com>
[not found] ` <3E4F0881.70302@trash.net>
[not found] ` <15951.10496.914173.716313@isis.cs3-inc.com>
[not found] ` <3E4F8660.5020409@trash.net>
2003-02-16 20:11 ` Possible ip_defrag DoS ? Harald Welte
2003-02-16 20:26 ` Patrick McHardy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).