On Wed, 31 Mar 2004, Andre Oppermann wrote: > We have the following sysctl's to withstand such an attack: > > net.inet.ip.maxfragpackets [800] > net.inet.ip.maxfragsperpacket [16] > > Which limits such an attack to 800 packets overall and 16 fragments > per packet. > > Of course, when the maxfragpackets limit is reached by malicous > packets we are unable to process legitimate fragmented IP packets > until the malicous ones start to time out. There is nothing else > one can do to fight off such an attack. > > -- > Andre
Actually, once the limit is reached, packets are forced out in FIFO order. However, if the attack is continuous and of a high data rate, then it is possible that legitimate packets will be forced out of the queue before they can be fully reassembled. NetBSD has adopted a slightly different approach to the problem, they track the total number of fragments, then do a random purge of reassembly queues whenever the fragment count hits a certain threshold. I suspect that under a high bandwidth fragmentation attack, both approaches would be overwhelmed. I'm not sure what's really new about this "Rose Attack", it shouldn't affect 4.8+ FreeBSD machines much at all. I'm actually puzzled that his attack does anything at all, you can eat up a lot more memory using fragrouter and some creative ipfw rules. :) Mike "Silby" Silbersack _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
