[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrub and Kernel Panics



On 14 Nov 2002, Jason Dixon wrote:
> Hi all:
>
> If this is a silly question, so be it.  ;-)
>
> Anyhoo, I'm stress-testing my new firewall in the lab, and I'm
> performing some igmp DoS attacks against it.  Running something like
> igmpofdeath (5000 packets) brings the system to a grinding halt (scrub
> on).
>
> (yes, I know DoS attacks are basically undefensible, but read on...)
>
> I tried setting a 5000 limit on the frags (scrub still on), and it was
> able to handle 5000, but choked on 10000.  I'm still relatively new to
> the concepts of stress-testing firewalls, so I'm not sure whether this
> kind of thing is something that needs to be reported as a "bug".
> Normally I wouldn't think so, but seeing as how the memory pool is
> supposedly being "capped", it makes me wonder.
This started out as a temporary solution. Isn't it time to solve the real
problem (the pool exhaustion bug)? Or is it impossible to fix this?
CVSROOT:	/cvs
Module name:	src
Changes by:	dhartmei@cvs.openbsd.org	2002/02/26 00:25:33
Modified files:
	sys/net        : pfvar.h pf.c pf_norm.c
	sbin/pfctl     : pfctl.c pfctl.8
Log message:
Add optional pool memory hard limits, mainly as temporary solution
until pool exhaustion causes problems no more.
I think PR 2309 (pf crashes kernel when pool_get() exhausts memory)
is still open. So it's still possible to crash a firewall if you don't
have a state limit set. And apparantly it's possible to crash it even when
a fragment limit is set.
Cheers,
Dries
-- 
Dries Schellekens
email: gwyllion@ulyssis.org