ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Slawa Olhovchenkov                   2:5030/500     09 Jan 2004  03:23:12
 To : All
 Subject : Hовости с полей
 -------------------------------------------------------------------------------- 
 

 
 Hе в хронологичском порядке.
 
 openssh новый.
 
 andre       2004/01/08 09:40:07 PST
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet          ip_icmp.c tcp.h tcp_input.c tcp_subr.c
                          tcp_usrreq.c tcp_var.h
   Log:
   Limiters and sanity checks for TCP MSS (maximum segement size)
   resource exhaustion attacks.
 
   For network link optimization TCP can adjust its MSS and thus
   packet size according to the observed path MTU.  This is done
   dynamically based on feedback from the remote host and network
   components along the packet path.  This information can be
   abused to pretend an extremely low path MTU.
 
   The resource exhaustion works in two ways:
 
    o during tcp connection setup the advertized local MSS is
      exchanged between the endpoints.  The remote endpoint can
      set this arbitrarily low (except for a minimum MTU of 64
      octets enforced in the BSD code).  When the local host is
      sending data it is forced to send many small IP packets
      instead of a large one.
 
      For example instead of the normal TCP payload size of 1448
      it forces TCP payload size of 12 (MTU 64) and thus we have
      a 120 times increase in workload and packets. On fast links
      this quickly saturates the local CPU and may also hit pps
      processing limites of network components along the path.
 
      This type of attack is particularly effective for servers
      where the attacker can download large files (WWW and FTP).
 
      We mitigate it by enforcing a minimum MTU settable by sysctl
      net.inet.tcp.minmss defaulting to 256 octets.
 
    o the local host is reveiving data on a TCP connection from
      the remote host.  The local host has no control over the
      packet size the remote host is sending.  The remote host
      may chose to do what is described in the first attack and
      send the data in packets with an TCP payload of at least
      one byte.  For each packet the tcp_input() function will
      be entered, the packet is processed and a sowakeup() is
      signalled to the connected process.
 
      For example an attack with 2 Mbit/s gives 4716 packets per
      second and the same amount of sowakeup()s to the process
      (and context switches).
 
      This type of attack is particularly effective for servers
      where the attacker can upload large amounts of data.
      Normally this is the case with WWW server where large POSTs
      can be made.
 
      We mitigate this by calculating the average MSS payload per
      second.  If it goes below 'net.inet.tcp.minmss' and the pps
      rate is above 'net.inet.tcp.minmssoverload' defaulting to
      1000 this particular TCP connection is resetted and dropped.
 
   MITRE CVE:      CAN-2004-0002
   Reviewed by:    sam (mentor)
   MFC after:      1 day
 
 rwatson     2004/01/08 14:49:23 PST
 
   FreeBSD src repository
 
   Modified files:
     sys/kern             tty.c
   Log:
   Improve the expressiveness of ttyinfo (^T) when dealing with threads
   in slightly less usual states:
 
     If the thread is on a run queue, display "running" if the thread is
     actually running, otherwise, "runnable".
 
     If the thread is sleeping, and it's on a sleep queue, display the
     name of the queue, otherwise "unknown" -- previously, in this situation
     we would display "iowait".
 
     If the thread is waiting on a lock, display *lockname.
 
     If the thread is suspended, display "suspended" -- previously, in
     this situation we would display "iowait".
 
     If the thread is waiting for an interrupt, display "intrwait" --
     previously, in this situation we would display "iowait".
 
     If the thread is in a state not handled by the above, display
     "unknown" -- previously, we would print "iowait".
 
   Among other things, this avoids displaying "iowait" when the foreground
   process turns out to be suspended waiting for a debugger to properly
   attach.
 From: Poul-Henning Kamp <phk@phk.freebsd.dk>
 Subject: REVIEW & TEST: libalias megapatch
 http://phk.freebsd.dk/patch/libalias.patch
 
 This patch makes it possible to have multiple packet aliasing
 instances in a single process.
 
 Redefine a new API based on s/PacketAlias/LibAlias/g
 
 Add new "instance" argument to all functions in the new API.
 
 Put all global variables in the instance structure.
 
 Implement old API in terms of the new API.
 
 No functional change.
 
 No functions removed so there is no need for shlib version bump,
 only an updating entry and a __FreeBSD_version bump.
 The intent is to subsequently add a "multilink" facility to natd(8)
 for people with two xDSL lines to different providers etc.
 
 For this we need to run one packet-aliasing engine per line, and
 in order to not totally toast throughput, this should not result
 in more context switches then we are used to.  (ie: not
 kern/usr/kern/usr/kern for the second line, but just kern/usr/kern
 as always).
 
 This patch makes it possible for programs like natd to run multiple
 packet-aliasing engines, this was not previously possible because
 of the widespread use of global variables in libalias.
 ... Модема-модема, чyкча почтy хочет!
 --- GoldED+/BSD 1.1.5
  * Origin:  (2:5030/500)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор