Subject: NetBSD not vulnerable to TCP reassembly mbuf DoS
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <firstname.lastname@example.org>
Date: 03/04/2004 13:36:36
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Note 20040304-1
Topic: NetBSD not vulnerable to TCP reassembly mbuf DoS
The FreeBSD project recently published FreeBSD-SA-04:04.tcp,
describing a denial-of-service vulnerability based on mbuf exhaustion.
The NetBSD Security Officer team was aware of this issue, and would
like to reassure users that NetBSD is not vulnerable.
The TCP reassembly code in NetBSD was enhanced some time ago to
coalesce mbufs in the reassembly queue as out-of-order TCP segments
arrive. This greatly reduces the potential number of mbufs a TCP
reassembly queue can use, because the length of the queue is also
limited to the size of the TCP receive window.
Additionally, mbufs in a partially-reassembled queue can be drained
and reused in resource-shortage conditions; since the out-of-order TCP
data has not been acknowledged, dropping these segments has the same
effect as if the packets had been dropped in the network, and they
will eventually be retransmitted by a legitimate remote TCP.
Together, these two points mean that this resource-exhaustion attack
is not feasible against a NetBSD host. This was confirmed using test
code supplied by Markus Friedl.
Jacques A. Vidrine
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SN20040304-1.txt,v 1.1 2004/03/04 02:31:28 dan Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----