Date: Sun, 17 Dec 2000 10:29:04 -0500 From: "Louis A. Mamakos" <louie@TransSys.COM> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: Poul-Henning Kamp <phk@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <200012171529.eBHFT4512582@whizzo.transsys.com> In-Reply-To: Your message of "Sun, 17 Dec 2000 01:20:07 PST." <20001217012007.A18038@citusc.usc.edu> References: <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, Dec 16, 2000 at 11:42:07AM -0800, Poul-Henning Kamp wrote: > > phk 2000/12/16 11:42:07 PST > > > > Modified files: > > sys/netinet ip_icmp.c tcp_subr.c tcp_var.h > > Log: > > We currently does not react to ICMP administratively prohibited > > messages send by routers when they deny our traffic, this causes > > a timeout when trying to connect to TCP ports/services on a remote > > host, which is blocked by routers or firewalls. > > This sounds like a security hole since ICMP messages don't have a TCP > sequence number meaning they can be trivially spoofed - am I wrong? The Destination Unreachable ICMP message should include a copy of the IP header plus 20 bytes of payload (TCP segment header) which you could use to validate it. I only glanced briefly at the patch, and don't know if that was being done or not. At that point, the situation is essentially the same as a RST-based attack and trying to predict TCP sequence numbers. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012171529.eBHFT4512582>