Date: Tue, 09 Jan 2001 18:58:45 -0700 From: Wes Peters <wes@softweyr.com> To: Mike Silbersack <silby@silby.com> Cc: Umesh Krishnaswamy <umesh@juniper.net>, freebsd-security@freebsd.org Subject: Re: Spoofing multicast addresses Message-ID: <3A5BC1D5.E5F57AE0@softweyr.com> References: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Silbersack wrote: > > On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote: > > > Hi Folks, > > > > I was looking at the code for tcp_drop(). If there is a SYN flood attack, > > tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop > > in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker > > spoofs multicast IP addresses, then there will be a flood of RST packets being > > sent out by the machine. > > > > I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src > > address is multicast, if so drop without RST. Or maybe, even before that, > > tcp_input should not accept SYN packets from multicast IP addresses. > > > > Thanks. > > Umesh. > > The check is done when the SYN is received, hence such a situation as you > describe should not be able to occur. > > >From tcp_input.c: > > /* > * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN > * in_broadcast() should never return true on a received > * packet with M_BCAST not set. > * > * Packets with a multicast source address should also > * be discarded. > */ > if (m->m_flags & (M_BCAST|M_MCAST)) > goto drop; The real problem is this check is 675 lines into tcp_input, but probably should be at the top. I've just rescanned this and don't recall if m->m_flags is set before tcp_input is called, or by one of the numerous functions called in the code leading up to this check. The comment about discarding bcast/mcast SYN is misleading, there is NO properly formatted TCP packet *to or from* a broadcast or multicast address. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A5BC1D5.E5F57AE0>