Date: Sun, 17 Dec 2000 22:08:52 +0100 From: Jesper Skriver <jesper@skriver.dk> To: "Jacques A. Vidrine" <n@nectar.com>, freebsd-net@FreeBSD.org, Poul-Henning Kamp <phk@critter.freebsd.dk>, Kris Kennaway <kris@FreeBSD.org>, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217220852.A20296@skriver.dk> In-Reply-To: <20001217102613.B61976@spawn.nectar.com>; from n@nectar.com on Sun, Dec 17, 2000 at 10:26:13AM -0600 References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> <20001217102613.B61976@spawn.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 10:26:13AM -0600, Jacques A. Vidrine wrote: > [Moved to freebsd-net] > > On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote: > > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > > In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes: > > > >This sounds like a security hole since ICMP messages don't have a TCP > > > >sequence number meaning they can be trivially spoofed - am I wrong? > > > > > > There was some discussion on the list, and the result was that the > > > default is this behaviour is "off" for now. > > > > > > Since we only react to this in "SYN-SENT" I think the window of > > > opportunity is rather small in the first place... > > > > [ I haven't looked at the patch ] > > > > ICMP packets include the headers of the packets that `triggered' them, > > so we do have a sequence number. > > > > I think the correct thing to do is to pull the source address, > > destination address, source port, destination port, and sequence number > > from the ICMP message, and zap the corresponding connection IFF the > > sequence number is in the window. > > Jesper, I'm sorry I missed this thread on -hackers (I just caught up > using the archive). > > I'm glad this is off by default. While clearly these ICMP messages need > to be handled, I think the approach taken has fatal flaws: > (1) This opens a new DoS attack As said in my posting to cvs-all@FreeBSD.ORG, it allready match againt TCP source and destination port numbers, and I'm testing a new version which also matches against the TCP sequence number. > (2) These same messages are not handled for connections not in > SYN-SENT: they ought to be Well, yes, but the real problem is when sessions are setup, the reason I only configured it to affect sessions in SYN-SENT state, was to minimize the risk for a DoS. But it's a trivial fix to remove that check, what do you say Kris ? If we match against - ip source and destination addresses - tcp source and destination ports - tcp sequence number Can we make it zap the sessions regardless of the current state ? And perhaps enable it by default ? /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217220852.A20296>