From owner-freebsd-security  Thu Jan 20 21:19:31 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 1CA2B1502D
	for <security@FreeBSD.ORG>; Thu, 20 Jan 2000 21:19:27 -0800 (PST)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id PAA24853;
	Fri, 21 Jan 2000 15:17:34 +1100 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200001210417.PAA24853@cairo.anu.edu.au>
Subject: Re: stream.c worst-case kernel paths
To: brett@lariat.org (Brett Glass)
Date: Fri, 21 Jan 2000 15:17:34 +1100 (Australia/NSW)
Cc: security@FreeBSD.ORG
In-Reply-To: <4.2.2.20000120182425.01886ec0@localhost> from "Brett Glass" at Jan 20, 2000 08:17:30 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Brett Glass, sie said:
> 
> I've been browsing the code, and have seen two possible places where
> the code might be improved to lessen the impact of this DoS. Folks
> who know the stack better may know about details and side effects
> that I don't, so so if my analysis has holes in it please don't chew 
> me out TOO badly.
> 
>  From /sys/netinet/tcp_input.c:
> 
> The kernel seeks a socket that matches the packet. It fails, of course,
> to find an open socket.
> 
>          inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport,
>              ti->ti_dst, ti->ti_dport, 1);

> If the system isn't listening on the port, inp is set to NULL. But inside
> in_pcblookup_hash, we've had to do two hash table lookups, because
> the "wildcard" flag is set to 1. (Suggested improvement: turn off the
> wildcard search if the packet is not a SYN. I suppose that if the
> packet IS a SYN, we still have to test to see if it was erroneously
> sent in the middle of a connection, so we really have to do both tests 
> in that case. See in_pcb.c.)

Also, what about the simultaneous connection problem ?  (both ends send
SYN's to the other, same ports).

> Back to tcp_input.c. We then execute the following:
> 
>          if (inp == NULL) {
>                  if (log_in_vain && tiflags & TH_SYN) {
>                          char buf[4*sizeof "123"];
> 
>                          strcpy(buf, inet_ntoa(ti->ti_dst));
>                          log(LOG_INFO,
>                              "Connection attempt to TCP %s:%d from %s:%d\n",
>                              buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
>                              ntohs(ti->ti_sport));
>                  }
>                  }
> #ifdef ICMP_BANDLIM
>                  if (badport_bandlim(1) < 0)
>                          goto drop;
> #endif
>                  goto dropwithreset;
>          }
> 
> Normally, we'll wind up at the label "dropwithreset", which means we'll
> send back a RST.  This suggests that restricting RSTs will help with the
> DoS. (Does anyone know if not sending an RST violates any RFCs if there
> was never a connection?)

Yes.  RFC 793, figure 11, page 35, describes the prescribed behaviour.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message