K 10
svn:author
V 6
jesper
K 8
svn:date
V 27
2001-08-06T09:20:57.000000Z
K 7
svn:log
V 815
MFS

src/sys/netinet/ip_input.c      rev 1.130.2.22
src/sys/netinet6/frag6.c        rev 1.2.2.4
src/sys/netinet6/in6_proto.c    rev 1.6.2.4

  Prevent denial of service using bogus fragmented IPv4 packets.

  A attacker sending a lot of bogus fragmented packets to the target
  (with different IPv4 identification field - ip_id), may be able
  to put the target machine into mbuf starvation state.

  By setting a upper limit on the number of reassembly queues we
  prevent this situation.

  This upper limit is controlled by the new sysctl
  net.inet.ip.maxfragpackets which defaults to nmbclusters/4

  If you want old behaviour (no upper limit) set this sysctl
  to a negative value.

  If you don't want to accept any fragments (not recommended)
  set the sysctl to 0 (zero)

Obtained from:	NetBSD (partially)

END