From owner-freebsd-security  Wed Jan 10  0: 0:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7FC5137B401; Tue,  9 Jan 2001 23:59:53 -0800 (PST)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id XAA17472;
	Tue, 9 Jan 2001 23:59:06 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id XAA22486;
	Tue, 9 Jan 2001 23:59:03 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id XAA20147;
	Tue, 9 Jan 2001 23:59:02 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200101100759.XAA20147@salsa.gv.tsc.tdk.com>
Date: Tue, 9 Jan 2001 23:59:02 -0800
In-Reply-To: <3A5C09BE.88B4A117@softweyr.com>
References: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com> <3A5BC1D5.E5F57AE0@softweyr.com> <200101100257.SAA19637@salsa.gv.tsc.tdk.com> <3A5C09BE.88B4A117@softweyr.com>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Wes Peters <wes@softweyr.com>, Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: Spoofing multicast addresses
Cc: Mike Silbersack <silby@silby.com>,
	Umesh Krishnaswamy <umesh@juniper.net>, freebsd-security@FreeBSD.ORG,
	freebsd-net@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jan 10, 12:05am, Wes Peters wrote:
} Subject: Re: Spoofing multicast addresses

} The real problem with the "stream" attack was not the volume of incoming
} SYN packets, but the reflector nature of the attack when using forged
} multicast source addresses.  The code did not correctly "ignore" these
} packets, and replied with RST.  Since no current group membership was
} available for the multicast source address, the system forwarded the RST
} packet to all attached interfaces.  Augh!

I'm actually not sure what the killer problem was.  I'm pretty sure that
systems with only one interface were vulnerable, so spewing mulitcast
RST packets out this interface shouldn't be much worse than spewing
unicast RST packets, unless I'm missing something particularly expensive
in the multicast code, which I admit that I'm not at all familiar with.
If I had to speculate, I'd guess that it might have something to do
with the multicast packets reentering the stack through the loopback
interface or maybe incoming responses to the multicast spew from other
hosts on the local network.

Since we added the packet sanity checks and the RST response rate
limiting at the same time, we really don't know which if these
helped the most.  I suppose this could be an interesting experiment
for someone with some spare time on their hands.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message