Le 25/01/2018 à 22:37, Joerg Sonnenberger a écrit :
On Thu, Jan 25, 2018 at 10:32:42PM +0100, Maxime Villard wrote:Now, if someone floods the machine with fragments, the kernel will at some point kick all the fragments that come from this someone's address. Obviously, an attacker could be able to use a different src address; but then we rely on the firewall to reject the packets earlier.I don't understand what you mean here. The typical scenario here is someone sending fragments with a randomized host part. Given that IPv6 has enough space for that, it is not really possible to restrict that.
Perhaps an example will illustrate what I meant. If you have a firewall configuration that says: allow incoming IP_A on wm0 (local network) allow incoming IP_B on wm1 (public network) An attacker can send fragments (from the outside) with a source address of IP_B, the firewall won't kick these. The kernel maintains a per-IP limit, so if there is a flood, the fragments from IP_B will still go through the firewall but the kernel won't process them. The point is, meanwhile, IP_A can still send fragments without being affected: the kernel will process them. So we avoid a form of DoS... Maxime