From owner-cvs-all Sun Dec 17 6:58:32 2000 From owner-cvs-all@FreeBSD.ORG Sun Dec 17 06:58:27 2000 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 895DC37B400; Sun, 17 Dec 2000 06:58:27 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 419E13E4F; Sun, 17 Dec 2000 15:58:26 +0100 (CET) Date: Sun, 17 Dec 2000 15:58:26 +0100 From: Jesper Skriver To: Kris Kennaway Cc: Poul-Henning Kamp , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217155826.A16170@skriver.dk> References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217015414.A18302@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217015414.A18302@citusc.usc.edu>; from kris@FreeBSD.org on Sun, Dec 17, 2000 at 01:54:14AM -0800 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 17, 2000 at 01:54:14AM -0800, Kris Kennaway wrote: > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > >> We currently does not react to ICMP administratively prohibited > > >> messages send by routers when they deny our traffic, this causes > > >> a timeout when trying to connect to TCP ports/services on a remote > > >> host, which is blocked by routers or firewalls. > > > > > >This sounds like a security hole since ICMP messages don't have a TCP > > >sequence number meaning they can be trivially spoofed - am I wrong? > > > > There was some discussion on the list, and the result was that the > > default is this behaviour is "off" for now. > > > > Since we only react to this in "SYN-SENT" I think the window of > > opportunity is rather small in the first place... > > The attack I'm thinking of involves flooding a machine with (possibly > spoofed) ICMP packets which would effectively deny the ability for > that machine to connect to its destination. If we imagine machine A wants to connect to machine B, and someone floods machine A with spoofed ICMP unreachable packets, telling machine A that it cannot reach machine B, then you would have a DOS. But as PHK says, it's disabled by default, and the above is a very special case, the "bad guy" needs to know where machine A wants to connect to, and it needs to be a continious flood, making it easy to track down the offender. > If this attack is possible then I'm unhappy having this code in > FreeBSD, even disabled by default..RFC be damned :-) It solves problems when trying to connects to hosts behind packet filters and/or firewalls, and I can add that Linux has this "feature" enabled by default, atleast since kernel v2.0 which was the oldest box I could find. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message