Re: [PATCH] ip_fragment.c and related, kernel 2.0.34 - Allows , teardrop/IP fragmentation logging.

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Sun, 20 Sep 1998 03:50:40 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gerard Roudier: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"
Previous message: Jes Sorensen: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"

In message <Pine.LNX.4.02.9809201035240.1733-100000@manjak.knm.org.pl> you writ
e:
> On Sat, 19 Sep 1998, david wrote:
> > > teardrop/IP fragmentation logging patch
> > the reason why logging extra info on this has not been implemented before
> > is because just about all exploits use spoofed src addresses. that makes
> > logging the 'attacker' ips fairly useless to the admin and quite useful to
> > the attacker because you're adding to the attack by flooding your log
> > files.
> You can just turn IP firewalling on. New ipchains code will block
> and log the packets sent by teardrop.

Just to squish this rumor before it takes hold; this is wrong.

As far as I can tell (2.1.121), overlapping fragments are handled
correctly, without logging (teardrop). Oversize fragments (Ping of
Death) are logged with a net_ratelimit() wrap to avoid flooding the
logs. Neither is checked on packets not defragmented by the Linux box
(either because CONFIG_IP_ALWAYS_DEFRAG is set, or the packet is
destined for the host itself), so be warned.

Rusty.

-- .sig lost in the mail.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Gerard Roudier: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"
Previous message: Jes Sorensen: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"