[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Scrub and Kernel Panics
On 14 Nov 2002, Jason Dixon wrote:
> Hi all:
> If this is a silly question, so be it. ;-)
> Anyhoo, I'm stress-testing my new firewall in the lab, and I'm
> performing some igmp DoS attacks against it. Running something like
> igmpofdeath (5000 packets) brings the system to a grinding halt (scrub
> (yes, I know DoS attacks are basically undefensible, but read on...)
> I tried setting a 5000 limit on the frags (scrub still on), and it was
> able to handle 5000, but choked on 10000. I'm still relatively new to
> the concepts of stress-testing firewalls, so I'm not sure whether this
> kind of thing is something that needs to be reported as a "bug".
> Normally I wouldn't think so, but seeing as how the memory pool is
> supposedly being "capped", it makes me wonder.
This started out as a temporary solution. Isn't it time to solve the real
problem (the pool exhaustion bug)? Or is it impossible to fix this?
Module name: src
Changes by: email@example.com 2002/02/26 00:25:33
sys/net : pfvar.h pf.c pf_norm.c
sbin/pfctl : pfctl.c pfctl.8
Add optional pool memory hard limits, mainly as temporary solution
until pool exhaustion causes problems no more.
I think PR 2309 (pf crashes kernel when pool_get() exhausts memory)
is still open. So it's still possible to crash a firewall if you don't
have a state limit set. And apparantly it's possible to crash it even when
a fragment limit is set.