From owner-freebsd-security  Tue Jan  9 17:53: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (mail.dobox.com [208.187.122.44])
	by hub.freebsd.org (Postfix) with ESMTP id 1764537B401
	for <freebsd-security@freebsd.org>; Tue,  9 Jan 2001 17:52:45 -0800 (PST)
Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 14GAXF-0000A5-00; Tue, 09 Jan 2001 18:58:45 -0700
Message-ID: <3A5BC1D5.E5F57AE0@softweyr.com>
Date: Tue, 09 Jan 2001 18:58:45 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Silbersack <silby@silby.com>
Cc: Umesh Krishnaswamy <umesh@juniper.net>,
	freebsd-security@freebsd.org
Subject: Re: Spoofing multicast addresses
References: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mike Silbersack wrote:
> 
> On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote:
> 
> > Hi Folks,
> >
> > I was looking at the code for tcp_drop(). If there is a SYN flood attack,
> > tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop
> > in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker
> > spoofs multicast IP addresses, then there will be a flood of RST packets being
> > sent out by the machine.
> >
> > I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src
> > address is multicast, if so drop without RST. Or maybe, even before that,
> > tcp_input should not accept SYN packets from multicast IP addresses.
> >
> > Thanks.
> > Umesh.
> 
> The check is done when the SYN is received, hence such a situation as you
> describe should not be able to occur.
> 
> >From tcp_input.c:
> 
>                 /*
>                  * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
>                  * in_broadcast() should never return true on a received
>                  * packet with M_BCAST not set.
>                  *
>                  * Packets with a multicast source address should also
>                  * be discarded.
>                  */
>                 if (m->m_flags & (M_BCAST|M_MCAST))
>                         goto drop;

The real problem is this check is 675 lines into tcp_input, but probably
should be at the top.  I've just rescanned this and don't recall if m->m_flags
is set before tcp_input is called, or by one of the numerous functions called
in the code leading up to this check.

The comment about discarding bcast/mcast SYN is misleading, there is NO
properly formatted TCP packet *to or from* a broadcast or multicast address.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message