Re: forwarded message on Source Quench Packets.

Tue, 12 Nov 2002 01:57:32 -0800 

On 09:27+0300, Nov 12, 2002, Mike Silbersack wrote:

>
> (redirected to -net so others can review this)
>
> I can see how these source quench messages would cause problems if a DoS
> is being routed through a FreeBSD router, and I think that your patch
> makes sense.  Are there any objections to me committing this in a few
> days?

Shouldn't we call m_freem(mcopy) before return? Here is an updated
diff, a comment was stolen from NetBSD.

Index: sys/netinet/ip_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.215
diff -u -r1.215 ip_input.c
--- sys/netinet/ip_input.c      20 Oct 2002 22:52:06 -0000      1.215
+++ sys/netinet/ip_input.c      12 Nov 2002 09:51:48 -0000
@@ -1970,9 +1970,14 @@
                break;

        case ENOBUFS:
-               type = ICMP_SOURCEQUENCH;
-               code = 0;
-               break;
+               /*
+                * A router should not generate ICMP_SOURCEQUENCH as
+                * required in RFC1812 Requirements for IP Version 4 Routers.
+                * Source quench could be a big problem under DoS attacks,
+                * or if the underlying interface is rate-limited.
+                */
+               m_freem(mcopy);
+               return;

        case EACCES:                    /* ipfw denied packet */
                m_freem(mcopy);

%%%

> Mike "Silby" Silbersack
>
> On Mon, 11 Nov 2002, David Gilbert wrote:
>
> > I normally wouldn't forward something to such a big list, but this has
> > real implications (and was part of a nast DOS against dsl.ca last
> > week).  The patch for FreeBSD (netbsd code is quoted) is trivial:
> >
> > --- /sys/netinet/ip_input.c     Thu Oct 17 08:29:53 2002
> > +++ ip_input.c  Mon Nov 11 15:15:31 2002
> > @@ -1822,9 +1822,7 @@
> >                 break;
> >
> >         case ENOBUFS:
> > -               type = ICMP_SOURCEQUENCH;
> > -               code = 0;
> > -               break;
> > +               return;
> >
> >         case EACCES:                    /* ipfw denied packet */
> >                 m_freem(mcopy);
> >
> > I'm submitting a PR now.
> >
> > For discussion: source quenches probably shouldn't be generated
> > anyways, but this patch also doesn't generate the source quench if
> > we're the target machine.  It's probably good to go straight ahead
> > with this.  IIRC, tcp_input.c also can generate a source quench
> > ...
> >
> >
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
>
>

-- 
Maxim Konovalov, MAcomnet, Internet Dept., system engineer
phone: +7 (095) 796-9079, mailto:maxim@;macomnet.ru



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to