From owner-freebsd-security Sat Nov 22 17:50:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA10151 for security-outgoing; Sat, 22 Nov 1997 17:50:53 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA10118 for ; Sat, 22 Nov 1997 17:50:42 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199711230150.RAA10118@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA194959805; Sun, 23 Nov 1997 12:50:06 +1100 Date: Sun, 23 Nov 1997 12:50:06 +1100 From: Darren Reed Apparently-To: security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >From owner-bugtraq@NETSPACE.ORG Sun Nov 23 10:52:48 EDT 1997 remote from cheops Received: from brimstone.netspace.org by postbox.anu.edu.au with ESMTP (1.37.109.16/16.2) id AA065112764; Sun, 23 Nov 1997 10:52:44 +1100 Received: from unknown@netspace.org (port 19009 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97815-18069>; Sat, 22 Nov 1997 18:01:59 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 5806752 for BUGTRAQ@NETSPACE.ORG; Sat, 22 Nov 1997 17:57:38 -0500 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id RAA30774 for ; Sat, 22 Nov 1997 17:46:32 -0500 Received: from unknown@netspace.org (port 19009 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97470-15165>; Sat, 22 Nov 1997 17:46:08 -0500 Approved-By: aleph1@UNDERGROUND.ORG Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by netspace.org (8.8.7/8.8.2) with ESMTP id OAA24040 for ; Sat, 22 Nov 1997 14:43:09 -0500 Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id OAA08548; Sat, 22 Nov 1997 14:47:21 -0500 (EST) References: Lines: 25 X-Mailer: Gnus v5.3/Emacs 19.34 Message-Id: Date: Sat, 22 Nov 1997 14:47:20 -0500 Reply-To: "Charles M. Hannum" Sender: avalon From: "Charles M. Hannum" Subject: Re: "LAND" Attack Update X-To: Aleph One To: BUGTRAQ@NETSPACE.ORG In-Reply-To: mycroft@mit.edu's message of 22 Nov 1997 14:19:11 -0500 mycroft@mit.edu (Charles M. Hannum) writes: > > 2) A socket in LISTEN state is not initiating a connection attempt, so > if it receives a SYN-only packet from itself, it *must* be a > forgery. A self-connect would cause the socket to no longer be in > LISTEN state before the SYN-only packet arrives. There's no point > in sending a RST in this case, since we'd just be sending it to > ourselves. > > (Actually, this change isn't really complete; in theory, if the > LISTEN socket was bound to INADDR_ANY, then we should check whether > the source address of the SYN was any of our local addreses, not > just that it matches the destination. However, a failure to detect > the attack at this point will merely generate an extra SYN+ACK that > will be dropped by the first change.) BTW, on a related note... The FreeBSD hack to `fix' (or not allow) self-connects DOES NOT WORK FOR MULTIHOMED HOSTS. It's still possible to crash a multihomed FreeBSD system by locally running a program that connects a TCP socket to itself.