Fwd: [IPv4 fragmentation --> The Rose Attack]
Mike Silbersack
silby at silby.com
Wed Mar 31 16:09:12 PST 2004
On Wed, 31 Mar 2004, Andre Oppermann wrote:
> We have the following sysctl's to withstand such an attack:
>
> net.inet.ip.maxfragpackets [800]
> net.inet.ip.maxfragsperpacket [16]
>
> Which limits such an attack to 800 packets overall and 16 fragments
> per packet.
>
> Of course, when the maxfragpackets limit is reached by malicous
> packets we are unable to process legitimate fragmented IP packets
> until the malicous ones start to time out. There is nothing else
> one can do to fight off such an attack.
>
> --
> Andre
Actually, once the limit is reached, packets are forced out in FIFO order.
However, if the attack is continuous and of a high data rate, then it is
possible that legitimate packets will be forced out of the queue before
they can be fully reassembled.
NetBSD has adopted a slightly different approach to the problem, they
track the total number of fragments, then do a random purge of reassembly
queues whenever the fragment count hits a certain threshold. I suspect
that under a high bandwidth fragmentation attack, both approaches would be
overwhelmed.
I'm not sure what's really new about this "Rose Attack", it shouldn't
affect 4.8+ FreeBSD machines much at all. I'm actually puzzled that his
attack does anything at all, you can eat up a lot more memory using
fragrouter and some creative ipfw rules. :)
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list