Mitigate the stream.c attacks

o Drop all broadcast and multicast source addresses in tcp_input. o Enable ICMP_BANDLIM in GENERIC. o Change default to 200/s from 100/s. This will still stop the attack, but is conservative enough to do this close to code freeze. This is not the optimal patch for the problem, but is likely the least intrusive patch that can be made for this. Obtained from: Don Lewis and Matt Dillon. Reviewed by: freebsd-security
author: imp <imp@FreeBSD.org> 2000-01-28 06:13:09 +0000
committer: imp <imp@FreeBSD.org> 2000-01-28 06:13:09 +0000
commit: 9d11326d8605120adbea532fa69211355d967edf (patch)
tree: eb7ddca9067c455c52a591ee0e9e14f4d82c1f1b /sys/netinet/ip_icmp.c
parent: f8e48f511e5de002b13eb638515c1422d6ca1173 (diff)
download: FreeBSD-src-9d11326d8605120adbea532fa69211355d967edf.zip
FreeBSD-src-9d11326d8605120adbea532fa69211355d967edf.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 76ff004..c2f464e 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -96,7 +96,7 @@ SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW,
  *      variable content is -1 and read-only.
  */     
     
-static int      icmplim = 100;
+static int      icmplim = 200;
 SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
 	&icmplim, 0, "");
 #else
author	imp <imp@FreeBSD.org>	2000-01-28 06:13:09 +0000
committer	imp <imp@FreeBSD.org>	2000-01-28 06:13:09 +0000
commit	9d11326d8605120adbea532fa69211355d967edf (patch)
tree	eb7ddca9067c455c52a591ee0e9e14f4d82c1f1b /sys/netinet/ip_icmp.c
parent	f8e48f511e5de002b13eb638515c1422d6ca1173 (diff)
download	FreeBSD-src-9d11326d8605120adbea532fa69211355d967edf.zip FreeBSD-src-9d11326d8605120adbea532fa69211355d967edf.tar.gz