Subject: NetBSD not vulnerable to TCP reassembly mbuf DoS
To: None <,>
From: NetBSD Security-Officer <>
List: tech-security
Date: 03/04/2004 13:36:36

		 NetBSD Security Note 20040304-1

Topic:		NetBSD not vulnerable to TCP reassembly mbuf DoS

The FreeBSD project recently published FreeBSD-SA-04:04.tcp, 
describing a denial-of-service vulnerability based on mbuf exhaustion. 
The NetBSD Security Officer team was aware of this issue, and would 
like to reassure users that NetBSD is not vulnerable. 

The TCP reassembly code in NetBSD was enhanced some time ago to
coalesce mbufs in the reassembly queue as out-of-order TCP segments
arrive.  This greatly reduces the potential number of mbufs a TCP
reassembly queue can use, because the length of the queue is also
limited to the size of the TCP receive window. 

Additionally, mbufs in a partially-reassembled queue can be drained
and reused in resource-shortage conditions; since the out-of-order TCP
data has not been acknowledged, dropping these segments has the same
effect as if the packets had been dropped in the network, and they
will eventually be retransmitted by a legitimate remote TCP.

Together, these two points mean that this resource-exhaustion attack
is not feasible against a NetBSD host. This was confirmed using test
code supplied by Markus Friedl.

Thanks To

Jacques A. Vidrine
Matt Thomas
Markus Friedl

More Information

Information about NetBSD and NetBSD security can be found at and

Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SN20040304-1.txt,v 1.1 2004/03/04 02:31:28 dan Exp $

Version: GnuPG v1.2.4 (NetBSD)