On Sun, Feb 16, 2003 at 01:38:56PM +0100, Patrick McHardy wrote:
> inerestingly, it seems linux defragmentation is vulnerable to dos attack.
> the evictor (called before defragmentation) just kills the oldest entry
> of each hash slot, starting with 0 until memory is below
> sysctl_ipfrag_low_thresh. by sending enough fragments
> (>sysctl_ipfrag_high_thresh) which hash to the highest bucket you can
> stop reassembly of valid packets.
I'm forwarding this (from netfilter-devel) to the linux networking
developers at netdev@xxxxxxxxxxxx If your assumption is valid, they
might want to have a look at this...
thanks.
> Patrick
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
pgpbF391Kf8rL.pgp
Description: PGP signature
|