| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1366848030.8964.98.camel@edumazet-glaptop> Date: Wed, 24 Apr 2013 17:00:30 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Jesper Dangaard Brouer <brouer@...hat.com> Cc: "David S. Miller" <davem@...emloft.net>, Hannes Frederic Sowa <hannes@...essinduktion.org>, netdev@...r.kernel.org Subject: Re: [net-next PATCH 1/4] Revert "inet: limit length of fragment queue hash table bucket lists" On Wed, 2013-04-24 at 17:48 +0200, Jesper Dangaard Brouer wrote: > This reverts commit 5a3da1fe9561828d0ca7eca664b16ec2b9bf0055. > > The problem with commit 5a3da1fe (inet: limit length of fragment queue > hash table bucket lists) is that, once we hit the hash depth limit (of > 128), the we *keep* the existing frag queues, not allowing new frag > queues to be created. Thus, an attacker can effectivly block handling > of fragments for 30 sec (as each frag queue have a timeout of 30 sec) > I do not think its good to revert this patch. It was a step in right direction. Limiting chain length to 128 is good. An attacker can attack a defrag unit, no matter strategy you use, thats why fragments are doomed. The only way to resist to an attack is to have enough memory in defrag unit to accumulate 30 seconds worth of traffic. Thats 30GB of memory if you receive 1GB per second, bit counting the overhead. If the attacker knows the IP address of the user of your defrag unit, you are doomed because IP id are 16bits. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists