tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: frag6: better limitation

Le 25/01/2018 à 22:37, Joerg Sonnenberger a écrit :
On Thu, Jan 25, 2018 at 10:32:42PM +0100, Maxime Villard wrote:
Now, if someone floods the machine with fragments, the kernel will at some
point kick all the fragments that come from this someone's address. Obviously,
an attacker could be able to use a different src address; but then we rely
on the firewall to reject the packets earlier.

I don't understand what you mean here. The typical scenario here is
someone sending fragments with a randomized host part. Given that IPv6
has enough space for that, it is not really possible to restrict that.

Perhaps an example will illustrate what I meant. If you have a firewall
configuration that says:

	allow incoming IP_A on wm0 (local network)
	allow incoming IP_B on wm1 (public network)

An attacker can send fragments (from the outside) with a source address of
IP_B, the firewall won't kick these. The kernel maintains a per-IP limit, so
if there is a flood, the fragments from IP_B will still go through the
firewall but the kernel won't process them.

The point is, meanwhile, IP_A can still send fragments without being
affected: the kernel will process them. So we avoid a form of DoS...


Home | Main Index | Thread Index | Old Index