diff options
author | jesper <jesper@FreeBSD.org> | 2001-05-31 21:57:29 +0000 |
---|---|---|
committer | jesper <jesper@FreeBSD.org> | 2001-05-31 21:57:29 +0000 |
commit | 70faf8712a430d49fe0453f62b7f8e4f237ec0d7 (patch) | |
tree | 6b850cfac838c6217a69fee044bd2ddcb01a75ee /sys/netinet6/in6_proto.c | |
parent | 51b1367e426bc4d7f1eb9e2bcf4f1b5bf570ffd7 (diff) | |
download | FreeBSD-src-70faf8712a430d49fe0453f62b7f8e4f237ec0d7.zip FreeBSD-src-70faf8712a430d49fe0453f62b7f8e4f237ec0d7.tar.gz |
Prevent denial of service using bogus fragmented IPv4 packets.
A attacker sending a lot of bogus fragmented packets to the target
(with different IPv4 identification field - ip_id), may be able
to put the target machine into mbuf starvation state.
By setting a upper limit on the number of reassembly queues we
prevent this situation.
This upper limit is controlled by the new sysctl
net.inet.ip.maxfragpackets which defaults to NMBCLUSTERS/4
If you want old behaviour (no upper limit) set this sysctl
to a negative value.
If you don't want to accept any fragments (not recommended)
set the sysctl to 0 (zero)
Obtained from: NetBSD (partially)
MFC after: 1 week
Diffstat (limited to 'sys/netinet6/in6_proto.c')
0 files changed, 0 insertions, 0 deletions