From toasty@home.dragondata.com  Wed Mar 18 14:03:28 1998
Received: from home.dragondata.com (toasty@home.dragondata.com [204.137.237.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA03887
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Mar 1998 14:03:27 -0800 (PST)
          (envelope-from toasty@home.dragondata.com)
Received: (from toasty@localhost)
	by home.dragondata.com (8.8.8/8.8.5) id QAA27635;
	Wed, 18 Mar 1998 16:03:27 -0600 (CST)
Message-Id: <199803182203.QAA27635@home.dragondata.com>
Date: Wed, 18 Mar 1998 16:03:27 -0600 (CST)
From: toasty@dragondata.com
Reply-To: toasty@dragondata.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: Packets from 1.1.1.1 can crash 2.2 server
X-Send-Pr-Version: 3.2

>Number:         6059
>Category:       kern
>Synopsis:       Packets from 1.1.1.1 can crash 2.2 server
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 18 14:10:02 PST 1998
>Closed-Date:    Fri Jul 3 15:59:40 PDT 1998
>Last-Modified:  Fri Jul  3 16:00:09 PDT 1998
>Originator:     Kevin Day
>Release:        FreeBSD 2.2.5-STABLE i386
>Organization:
DragonData
>Environment:

2.2 server

>Description:

NOTE: This hasn't been well tested, if this is the result of operator error,
I apologize, but I can't afford to keep crashing my server to test it. :)

Flood a server with packets from a 1.1.1.1. 

Mar 18 02:02:17 toast /kernel.GENERIC: arpresolve: can't allocate llinfo for 1.1.1.1
Mar 18 02:02:38 toast last message repeated 6 times
Mar 18 02:03:31 toast last message repeated 3 times
Mar 18 02:10:02 toast last message repeated 10 times
Mar 18 02:23:02 toast last message repeated 20 times
Mar 18 02:34:55 toast last message repeated 15 times
Mar 18 02:42:32 toast last message repeated 15 times
Mar 18 02:49:02 toast last message repeated 10 times
Mar 18 03:00:32 toast last message repeated 10 times
Mar 18 03:13:32 toast last message repeated 20 times

After an hour or so of doing this, the server suggests more swap space, then
locks up.


>How-To-Repeat:

Spoof 1.1.1.1, and open lots of tcp connections.

>Fix:
	
No idea. :)
>Release-Note:
>Audit-Trail:

From: Bill Fenner <fenner@parc.xerox.com>
To: toasty@dragondata.com
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/6059: Packets from 1.1.1.1 can crash 2.2 server 
Date: Thu, 19 Mar 1998 17:11:50 PST

 toasty@dragondata.com wrote:
 >Mar 18 02:02:17 toast /kernel.GENERIC: arpresolve: can't allocate llinfo for 1
 >  .1.1.1
 
 What's your routing table look like?  This implies that your machine
 thinks that 1.1.1.1 is on your local network.
 
 >After an hour or so of doing this, the server suggests more swap space, then
 >locks up.
 
 I'm currently spoofing 30 SYN's/second from 1.1.1.1 against a 2.2.2
 machine.  I'll let it run and see what happens.
 
   Bill

From: Bill Fenner <fenner@parc.xerox.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc: toasty@dragondata.com
Subject: Re: kern/6059: Packets from 1.1.1.1 can crash 2.2 server 
Date: Thu, 19 Mar 1998 23:17:13 PST

 Ok, I let the SYN attack run for 6 hours; at 30 packets per second,
 that was somewhere in the neighborhood of 648,000 SYN packets.  No
 messages, no crash.  The only indication that anything was going on was
 that my firewall administrator yelled at me =)
 
 Maybe if we can figure out how you produced the arpresolve error there'll
 be some way to replicate this.
 
   Bill

From: Kevin Day <toasty@home.dragondata.com>
To: freebsd-gnats-submit@freebsd.org
Cc:  Subject: kern/6059: Close me
Date: Sun, 28 Jun 1998 20:52:36 -0500 (CDT)

 This PR can be closed, if desired.
 
 I can't duplicate it here on 2.2.6, and the machine in question was a 2.2.
 It may have been entirely coincidental, as well.
 
 I have seen all sorts of weird 'cannot allocate llinfo' messages though, so
 perhaps there's a greater problem. I've seen it complain that it can't
 allocate llinfo for an IP that's bound to the machine itself, and i've seen
 it complain about garbage.. (i.e. cannot allocate llinfo for:
 204.137.237.254rt@@@@@@@  is in my log right now...)
 
 
 
 Kevin
State-Changed-From-To: open->closed 
State-Changed-By: steve 
State-Changed-When: Fri Jul 3 15:59:40 PDT 1998 
State-Changed-Why:  
Closed at originator's request. 
>Unformatted:
Kevin Day
