Date: Thu, 20 Nov 1997 04:31:21 -0800 (PST) From: Matt Dillon <dillon@best.net> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/5103: FreeBSD kernel lockup from spoofed TCP packet Message-ID: <199711201231.EAA01449@flea.best.net> Resent-Message-ID: <199711201240.EAA02339@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 5103 >Category: kern >Synopsis: It appears to be possible to lockup a FreeBSD box with a spoofed TCP packet. Two of our shell machines were attacked tonight. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 20 04:40:01 PST 1997 >Last-Modified: >Originator: Matt Dillon >Organization: Best Internet Communications >Release: FreeBSD 2.2.5-STABLE i386 >Environment: FreeBSD 2.2.5 running on PPro 200's >Description: Two of our machines were locked up tonight by what looks like a spoofed TCP packet. The characteristics of the packet were that both the source and destination address were set to the machine's ethernet IP address, and the same tcp port was used for both source and destination. We were able to core both machines from the debugger. Both kernels were stuck in an endless ip_intr loop. It appeared that the tcp stack transmitted a packet which caused the higher level ip_intr to loop on tcp_input. An infinite loop ensued. >How-To-Repeat: Not sure. >Fix: not sure about this. I hacked our kernels to discard any packet where ti_src.s_addr == ti_dst.s_addr && ti_sport == ti_dport. I am hoping this will prevent the attack from looping the code. -Matt >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711201231.EAA01449>