lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 17 Dec 2011 14:26:01 +0100
From:	richard -rw- weinberger <richard.weinberger@...il.com>
To:	Robert Gladewitz <gladewitz@....de>
Cc:	linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Kernel-DOS error in arp mechanism – no delete off incomplete arp adresses

On Sat, Dec 17, 2011 at 9:27 AM, Robert Gladewitz <gladewitz@....de> wrote:
> Hello,
>
> first i have to say sorry for m y bad english. I try my best to descripe the
> error.
>
> I Use Linux-Routers for internal and external firewall components. For this
> I Use own kernel configurations und use only the drivers an modules what I
> need. Other features and modules I deactivated in my kernel versions
>
> Since the kernel version 2.6.36 there is some mistake in the ipv4 arp
> implementation. The the System try to find an unknown system, the send an
> “who is” and marked the ip address as “incomplete” (German: unvollständig).
> The thing is, usually linux delete all incomplete and complete entries in
> some time, but in all kernel versions since 2.6.36 he doas not delete any
> addresses.
>
> In my case, I scan my network-segmens for new devices (Kaspersky, Landesk)
> and on this process, the router learned a lot of incomplete addresses. I
> have some class b networks (from the history), and this means the router
> will be learned mor then 2^16 adresses.
>
> Now the kerlen learn a maximum addresses – I know this is defined on
> gc_thresh1 , gc_thresh2 and gc_thresh3 in the proc system under
> sys.net.ipv4.neight.default. If the table have the maximum addresses in the
> table (default=1024), no new host can send traffic packet over this router.
> This means, we have a classical risk of DOS. In my case, I have only an
> internal risk, but some providers may have also external risc.
>
> I hope, my description help you to find this error. I send also my kernel
> config, may there is some relation to small configurations in kernel
>
> Viele Grüße
>
> Robert Gladewitz
>

CC'ing netdev.

-- 
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ