Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Dec 2000 15:58:26 +0100
From:      Jesper Skriver <jesper@skriver.dk>
To:        Kris Kennaway <kris@FreeBSD.org>
Cc:        Poul-Henning Kamp <phk@critter.freebsd.dk>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID:  <20001217155826.A16170@skriver.dk>
In-Reply-To: <20001217015414.A18302@citusc.usc.edu>; from kris@FreeBSD.org on Sun, Dec 17, 2000 at 01:54:14AM -0800
References:  <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217015414.A18302@citusc.usc.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 01:54:14AM -0800, Kris Kennaway wrote:
> On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote:
> > >>   We currently does not react to ICMP administratively prohibited
> > >>   messages send by routers when they deny our traffic, this causes
> > >>   a timeout when trying to connect to TCP ports/services on a remote
> > >>   host, which is blocked by routers or firewalls.
> > >
> > >This sounds like a security hole since ICMP messages don't have a TCP
> > >sequence number meaning they can be trivially spoofed - am I wrong?
> > 
> > There was some discussion on the list, and the result was that the
> > default is this behaviour is "off" for now.
> > 
> > Since we only react to this in "SYN-SENT" I think the window of
> > opportunity is rather small in the first place...
> 
> The attack I'm thinking of involves flooding a machine with (possibly
> spoofed) ICMP packets which would effectively deny the ability for
> that machine to connect to its destination.

If we imagine machine A wants to connect to machine B, and someone
floods machine A with spoofed ICMP unreachable packets, telling machine
A that it cannot reach machine B, then you would have a DOS.

But as PHK says, it's disabled by default, and the above is a very
special case, the "bad guy" needs to know where machine A wants to
connect to, and it needs to be a continious flood, making it easy to
track down the offender.

> If this attack is possible then I'm unhappy having this code in
> FreeBSD, even disabled by default..RFC be damned :-)

It solves problems when trying to connects to hosts behind packet
filters and/or firewalls, and I can add that Linux has this "feature"
enabled by default, atleast since kernel v2.0 which was the oldest box I
could find.

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek            @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217155826.A16170>