Re: Packet Fragmentation Attacks

[Mikael Olsson <mikael.olsson () ENTERNET SE>]

Max wrote:
> [fragment flooding]
> I recieve the following kernel message:
>
> "Aug 24 10:10:43 orion /bsd: ne3: warning - reciever ring buffer
> overrun".

This is a problem on the ethernet/driver level. If the receiver
ring buffer is full, the NIC is receiving packets from faster
than the CPU is despooling them; the result is plain and simple
packet loss.

There could be two causes for this:

1) Your CPU is plain too slow; get a faster one, otherwise
   you'll always experience packet loss if someone is talking
   to you too fast (fragments or no fragments).

2) The defragmentation routine is taking too much time; the result
   would be that the CPU is too busy to despool packets in a
   timely fashion. Maybe the reassembly could be optimized
   a little bit, but in any case, I don't think it'd help much.

In either case, I wouldn't view this as a big problem. Packet
loss is part of normal network operation :)

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se