From owner-cvs-all  Sun Dec 17  7:29:11 2000
From owner-cvs-all@FreeBSD.ORG  Sun Dec 17 07:29:08 2000
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4140637B400; Sun, 17 Dec 2000 07:29:07 -0800 (PST)
Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1])
	by whizzo.transsys.com (8.11.1/8.11.0) with ESMTP id eBHFT4512582;
	Sun, 17 Dec 2000 10:29:06 -0500 (EST)
	(envelope-from louie@whizzo.transsys.com)
Message-Id: <200012171529.eBHFT4512582@whizzo.transsys.com>
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
To: Kris Kennaway <kris@FreeBSD.ORG>
Cc: Poul-Henning Kamp <phk@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG, security-officer@FreeBSD.ORG
X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg
From: "Louis A. Mamakos" <louie@TransSys.COM>
Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h 
References: <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu> 
In-reply-to: Your message of "Sun, 17 Dec 2000 01:20:07 PST."
             <20001217012007.A18038@citusc.usc.edu> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 17 Dec 2000 10:29:04 -0500
Sender: louie@TransSys.COM
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> On Sat, Dec 16, 2000 at 11:42:07AM -0800, Poul-Henning Kamp wrote:
> > phk         2000/12/16 11:42:07 PST
> > 
> >   Modified files:
> >     sys/netinet          ip_icmp.c tcp_subr.c tcp_var.h 
> >   Log:
> >   We currently does not react to ICMP administratively prohibited
> >   messages send by routers when they deny our traffic, this causes
> >   a timeout when trying to connect to TCP ports/services on a remote
> >   host, which is blocked by routers or firewalls.
> 
> This sounds like a security hole since ICMP messages don't have a TCP
> sequence number meaning they can be trivially spoofed - am I wrong?

The Destination Unreachable ICMP message should include a copy of the
IP header plus 20 bytes of payload (TCP segment header) which you
could use to validate it.  I only glanced briefly at the patch, and don't
know if that was being done or not.

At that point, the situation is essentially the same as a RST-based
attack and trying to predict TCP sequence numbers.

louie



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message