Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 09 Jan 2001 18:58:45 -0700
From:      Wes Peters <wes@softweyr.com>
To:        Mike Silbersack <silby@silby.com>
Cc:        Umesh Krishnaswamy <umesh@juniper.net>, freebsd-security@freebsd.org
Subject:   Re: Spoofing multicast addresses
Message-ID:  <3A5BC1D5.E5F57AE0@softweyr.com>
References:  <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Mike Silbersack wrote:
> 
> On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote:
> 
> > Hi Folks,
> >
> > I was looking at the code for tcp_drop(). If there is a SYN flood attack,
> > tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop
> > in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker
> > spoofs multicast IP addresses, then there will be a flood of RST packets being
> > sent out by the machine.
> >
> > I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src
> > address is multicast, if so drop without RST. Or maybe, even before that,
> > tcp_input should not accept SYN packets from multicast IP addresses.
> >
> > Thanks.
> > Umesh.
> 
> The check is done when the SYN is received, hence such a situation as you
> describe should not be able to occur.
> 
> >From tcp_input.c:
> 
>                 /*
>                  * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
>                  * in_broadcast() should never return true on a received
>                  * packet with M_BCAST not set.
>                  *
>                  * Packets with a multicast source address should also
>                  * be discarded.
>                  */
>                 if (m->m_flags & (M_BCAST|M_MCAST))
>                         goto drop;

The real problem is this check is 675 lines into tcp_input, but probably
should be at the top.  I've just rescanned this and don't recall if m->m_flags
is set before tcp_input is called, or by one of the numerous functions called
in the code leading up to this check.

The comment about discarding bcast/mcast SYN is misleading, there is NO
properly formatted TCP packet *to or from* a broadcast or multicast address.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A5BC1D5.E5F57AE0>