From owner-freebsd-bugs Tue Aug 18 18:01:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA15667 for freebsd-bugs-outgoing; Tue, 18 Aug 1998 18:01:50 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from cal007109.student.utwente.nl (cal007109.student.utwente.nl [130.89.221.199]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA15625; Tue, 18 Aug 1998 18:01:29 -0700 (PDT) (envelope-from edwin-ml@woudt.nl) Received: from [192.168.1.2] (helo=desktop) by cal007109.student.utwente.nl with smtp (Exim 2.02 #2) id 0z8wbJ-0001Gf-00; Wed, 19 Aug 1998 02:59:45 +0200 From: "Edwin Woudt" To: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Date: Wed, 19 Aug 1998 03:02:53 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Gateway/firewall denial of service Reply-to: edwin-ml@woudt.nl X-mailer: Pegasus Mail for Win32 (v3.01a) Message-Id: Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I use a FreeBSD 2.2.7 machine as a gateway and firewall between a local network and a campus-wide network. Accidentally I discovered a way to change the routing table of the local network on the gateway from the campus network. The problem is that de kernel accepts ARP broadcasts on one interface of which the ip-adresses are on another interface and so making a machine on the local network unreachable for the gateway. I tried to find the bug in the source code, but i'm not a C expert. I hope somebody who is a better programmer would go trough the code and find the bug. As the code I thought to be related looked very old, this might be a problem in all versions of FreeBSD and even other BSD- operating systems. In more detail: This machine has two 3C509b card, of which ep0 is connected to the campus network and ep1 is connected to the local network. +---------------+ +-----------------+ | Win98 machine | |FreeBSD 2.2.7 | | |---------|<-192.168.1.1 | | 192.168.1.2 | |130.89.221.199 ->|-----Campus network +---------------+ +-----------------+ # ifconfig -a ep0: flags=8843 mtu 1500 inet 130.89.221.199 netmask 0xffff0000 broadcast 130.89.255.255 ether 00:a0:24:c7:7c:6e ep1: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xffff0000 broadcast 192.168.255.255 ether 00:20:af:5c:6b:ea Normally the entry for the win98 machine in the routing table (netstat -r) looks like this: Destination Gateway Flags Refs Use Netif Expire 192.168.1.2 0:80:ad:71:3c:fc UHLW 6 366621 ep1 1197 But if an other computer with the same ip address (192.168.1.2) connects to the campus network, i get the following kernel message: /kernel: arp: 192.168.1.2 moved from 00:80:ad:71:3c:fc to 00:00:e8:2f:c6:be After that the routing table is like this: Destination Gateway Flags Refs Use Netif Expire 192.168.1.2 0:00:e8:2f:c6:be UHLW 6 366621 ep1 1197 So, the interface is still the same, but the MAC address has changed to that of a network card on the campus network, which is on interface ep0. Result: 192.168.1.2 is unreachable on ep1.... This happend because a wrong configured machine connected to the campus network. But if someone wants, one can use this to make a complete local network (not just 1 machine) unreachable. Suggestion: Make it impossible to change a routing table entry on one interface trough another infterface. Edwin Woudt ===================================================================== Edwin Woudt ("`-''-/").___..--''"`-._ Calslaan 7-109 `6_ 6 ) `-. ( ).`-.__.`) 7522 MH Enschede edwin@woudt.nl (_Y_.)' ._ ) `._ `. ``-..-' The Netherlands _..`--'_..-_/ /--'_.' ,' ICQ: 1156462 (il),-'' (li),' ((!.-' +31 53 489 5010 ===================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message