(redirected to -net so others can review this) I can see how these source quench messages would cause problems if a DoS is being routed through a FreeBSD router, and I think that your patch makes sense. Are there any objections to me committing this in a few days?
Mike "Silby" Silbersack On Mon, 11 Nov 2002, David Gilbert wrote: > I normally wouldn't forward something to such a big list, but this has > real implications (and was part of a nast DOS against dsl.ca last > week). The patch for FreeBSD (netbsd code is quoted) is trivial: > > --- /sys/netinet/ip_input.c Thu Oct 17 08:29:53 2002 > +++ ip_input.c Mon Nov 11 15:15:31 2002 > @@ -1822,9 +1822,7 @@ > break; > > case ENOBUFS: > - type = ICMP_SOURCEQUENCH; > - code = 0; > - break; > + return; > > case EACCES: /* ipfw denied packet */ > m_freem(mcopy); > > I'm submitting a PR now. > > For discussion: source quenches probably shouldn't be generated > anyways, but this patch also doesn't generate the source quench if > we're the target machine. It's probably good to go straight ahead > with this. IIRC, tcp_input.c also can generate a source quench > ... > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message