From owner-cvs-all Sun Dec 17 1:53:15 2000 From owner-cvs-all@FreeBSD.ORG Sun Dec 17 01:53:11 2000 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 0FFF637B400; Sun, 17 Dec 2000 01:53:11 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id BAA18319; Sun, 17 Dec 2000 01:54:14 -0800 Date: Sun, 17 Dec 2000 01:54:14 -0800 From: Kris Kennaway To: Poul-Henning Kamp Cc: Kris Kennaway , jesper@skriver.dk, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217015414.A18302@citusc.usc.edu> References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <17340.977045052@critter>; from phk@critter.freebsd.dk on Sun, Dec 17, 2000 at 10:24:12AM +0100 Sender: kris@citusc.usc.edu Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > >> We currently does not react to ICMP administratively prohibited > >> messages send by routers when they deny our traffic, this causes > >> a timeout when trying to connect to TCP ports/services on a remote > >> host, which is blocked by routers or firewalls. > > > >This sounds like a security hole since ICMP messages don't have a TCP > >sequence number meaning they can be trivially spoofed - am I wrong? >=20 > There was some discussion on the list, and the result was that the > default is this behaviour is "off" for now. >=20 > Since we only react to this in "SYN-SENT" I think the window of > opportunity is rather small in the first place... The attack I'm thinking of involves flooding a machine with (possibly spoofed) ICMP packets which would effectively deny the ability for that machine to connect to its destination. If this attack is possible then I'm unhappy having this code in FreeBSD, even disabled by default..RFC be damned :-) Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PI1GWry0BWjoQKURAqSgAJ46FTATPpgWeZ8rSJn5LOIdCLjvWACgzqpx +2AZaBqXhUEpxSsas2bgX6o= =mYnJ -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message