From owner-freebsd-net Sun Dec 17 8:26:23 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 08:26:19 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id AC49C37B400; Sun, 17 Dec 2000 08:26:14 -0800 (PST) Received: by gw.nectar.com (Postfix, from userid 1001) id DA78D193E1; Sun, 17 Dec 2000 10:26:13 -0600 (CST) Date: Sun, 17 Dec 2000 10:26:13 -0600 From: "Jacques A. Vidrine" To: freebsd-net@FreeBSD.org Cc: Poul-Henning Kamp , Kris Kennaway , jesper@skriver.dk, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217102613.B61976@spawn.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , jesper@skriver.dk, security-officer@FreeBSD.org References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217095914.A61976@spawn.nectar.com>; from n@nectar.com on Sun, Dec 17, 2000 at 09:59:14AM -0600 X-Url: http://www.nectar.com/ Sender: nectar@nectar.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Moved to freebsd-net] On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote: > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes: > > >This sounds like a security hole since ICMP messages don't have a TCP > > >sequence number meaning they can be trivially spoofed - am I wrong? > > > > There was some discussion on the list, and the result was that the > > default is this behaviour is "off" for now. > > > > Since we only react to this in "SYN-SENT" I think the window of > > opportunity is rather small in the first place... > > [ I haven't looked at the patch ] > > ICMP packets include the headers of the packets that `triggered' them, > so we do have a sequence number. > > I think the correct thing to do is to pull the source address, > destination address, source port, destination port, and sequence number > from the ICMP message, and zap the corresponding connection IFF the > sequence number is in the window. Jesper, I'm sorry I missed this thread on -hackers (I just caught up using the archive). I'm glad this is off by default. While clearly these ICMP messages need to be handled, I think the approach taken has fatal flaws: (1) This opens a new DoS attack (2) These same messages are not handled for connections not in SYN-SENT: they ought to be Are you planning on addressing these issues? I don't think this code should make it to -STABLE as-is. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message