On 14 Nov 2002, Jason Dixon wrote:
> Hi all:
>
> If this is a silly question, so be it. ;-)
>
> Anyhoo, I'm stress-testing my new firewall in the lab, and I'm
> performing some igmp DoS attacks against it. Running something like
> igmpofdeath (5000 packets) brings the system to a grinding halt (scrub
> on).
>
> (yes, I know DoS attacks are basically undefensible, but read on...)
>
> I tried setting a 5000 limit on the frags (scrub still on), and it was
> able to handle 5000, but choked on 10000. I'm still relatively new to
> the concepts of stress-testing firewalls, so I'm not sure whether this
> kind of thing is something that needs to be reported as a "bug".
> Normally I wouldn't think so, but seeing as how the memory pool is
> supposedly being "capped", it makes me wonder.
This started out as a temporary solution. Isn't it time to solve the real
problem (the pool exhaustion bug)? Or is it impossible to fix this?
CVSROOT: /cvs
Module name: src
Changes by: [EMAIL PROTECTED] 2002/02/26 00:25:33
Modified files:
sys/net : pfvar.h pf.c pf_norm.c
sbin/pfctl : pfctl.c pfctl.8
Log message:
Add optional pool memory hard limits, mainly as temporary solution
until pool exhaustion causes problems no more.
I think PR 2309 (pf crashes kernel when pool_get() exhausts memory)
is still open. So it's still possible to crash a firewall if you don't
have a state limit set. And apparantly it's possible to crash it even when
a fragment limit is set.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
