tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: frag6: better limitation

On Thu, Jan 25, 2018 at 10:32:42PM +0100, Maxime Villard wrote:
> Now, if someone floods the machine with fragments, the kernel will at some
> point kick all the fragments that come from this someone's address. Obviously,
> an attacker could be able to use a different src address; but then we rely
> on the firewall to reject the packets earlier.

I don't understand what you mean here. The typical scenario here is
someone sending fragments with a randomized host part. Given that IPv6
has enough space for that, it is not really possible to restrict that.


Home | Main Index | Thread Index | Old Index