[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS

forwarded 684072 http://www.freebsd.org/cgi/query-pr.cgi?pr=158726

The description of the problem is:

  When flooding the local network with random router advertisements,
  hosts and routers update the network information, consuming all
  available CPU resources, making the systems unusable and unresponsive.

It happens only iff IPv6 autoconfiguration is enabled.
But we have only two choices

a) allow autoconfiguration and trust the network to provide correct input
   for autoconfiguration

b) disable autoconfiguration and configure interface manually

Whether autoconfiguration is enabled is controlled by sysctl.
The pristine FreeBSD have autoconfiguration disabled,
our kernel have it enabled to match Linux kernel behaviour:

kfreebsd-8 (8.0-9) unstable; urgency=low

  [ Aurelien Jarno ]
  * Default to netinet6.ip6.v6only=0 and netinet6.ip6.accept_rtadv=1
    to match the Linux kernel defaults.

 -- Aurelien Jarno <aurel32@debian.org>  Wed, 23 Jun 2010 21:31:54 +0200

What should we do ?


Reply to: