Subject: Re: fragmentation attack
To: <>
From: Ignatios Souvatzis <>
List: tech-net
Date: 04/25/2002 21:26:05
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 25, 2002 at 12:17:16PM +0300, Tero Kivinen wrote:
> That is going to be 8000 fragments. The ip_input will find the struct
> ipq *fp to match that packet. The struct ipq *fp will have list of all
> those fragments belonging to same packet as a list and it will go
> through that list twice in the ip_reass function (one to find out
> where to put the fragment, and second time to see if the packet is
> complete).
> This means that for each of those 56 byte (48 bytes of ip header
> (header + some options) and 8 bytes of actual data) * 8000 fragment
> packets, we do 2 * 8000 * 8000 / 2 list operations. This means that we
> do 64000000 list operations for each 448000 bytes of data. If each

I wonder: shouldn't that per-packet list be a per-packet balanced tree of
some sort, such that the case above would be some constant times
8000 log 8000?


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see