From owner-freebsd-bugs Thu Nov 20 04:40:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA02345 for bugs-outgoing; Thu, 20 Nov 1997 04:40:03 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA02339; Thu, 20 Nov 1997 04:40:01 -0800 (PST) (envelope-from gnats) Resent-Date: Thu, 20 Nov 1997 04:40:01 -0800 (PST) Resent-Message-Id: <199711201240.EAA02339@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, dillon@best.net Received: from flea.best.net (root@flea.best.net [206.184.139.131]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA02062 for ; Thu, 20 Nov 1997 04:32:08 -0800 (PST) (envelope-from dillon@flea.best.net) Received: (from dillon@localhost) by flea.best.net (8.8.7/8.7.3) id EAA01449; Thu, 20 Nov 1997 04:31:21 -0800 (PST) Message-Id: <199711201231.EAA01449@flea.best.net> Date: Thu, 20 Nov 1997 04:31:21 -0800 (PST) From: Matt Dillon Reply-To: dillon@best.net To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/5103: FreeBSD kernel lockup from spoofed TCP packet Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 5103 >Category: kern >Synopsis: It appears to be possible to lockup a FreeBSD box with a spoofed TCP packet. Two of our shell machines were attacked tonight. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 20 04:40:01 PST 1997 >Last-Modified: >Originator: Matt Dillon >Organization: Best Internet Communications >Release: FreeBSD 2.2.5-STABLE i386 >Environment: FreeBSD 2.2.5 running on PPro 200's >Description: Two of our machines were locked up tonight by what looks like a spoofed TCP packet. The characteristics of the packet were that both the source and destination address were set to the machine's ethernet IP address, and the same tcp port was used for both source and destination. We were able to core both machines from the debugger. Both kernels were stuck in an endless ip_intr loop. It appeared that the tcp stack transmitted a packet which caused the higher level ip_intr to loop on tcp_input. An infinite loop ensued. >How-To-Repeat: Not sure. >Fix: not sure about this. I hacked our kernels to discard any packet where ti_src.s_addr == ti_dst.s_addr && ti_sport == ti_dport. I am hoping this will prevent the attack from looping the code. -Matt >Audit-Trail: >Unformatted: