(redirected to -net so others can review this)

I can see how these source quench messages would cause problems if a DoS
is being routed through a FreeBSD router, and I think that your patch
makes sense.  Are there any objections to me committing this in a few
days?

Mike "Silby" Silbersack

On Mon, 11 Nov 2002, David Gilbert wrote:

> I normally wouldn't forward something to such a big list, but this has
> real implications (and was part of a nast DOS against dsl.ca last
> week).  The patch for FreeBSD (netbsd code is quoted) is trivial:
>
> --- /sys/netinet/ip_input.c     Thu Oct 17 08:29:53 2002
> +++ ip_input.c  Mon Nov 11 15:15:31 2002
> @@ -1822,9 +1822,7 @@
>                 break;
>
>         case ENOBUFS:
> -               type = ICMP_SOURCEQUENCH;
> -               code = 0;
> -               break;
> +               return;
>
>         case EACCES:                    /* ipfw denied packet */
>                 m_freem(mcopy);
>
> I'm submitting a PR now.
>
> For discussion: source quenches probably shouldn't be generated
> anyways, but this patch also doesn't generate the source quench if
> we're the target machine.  It's probably good to go straight ahead
> with this.  IIRC, tcp_input.c also can generate a source quench
> ...
>
>


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to