Date: Fri, 21 Nov 1997 12:49:05 +1100 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Robert Watson <robert@cyrus.watson.org> Cc: freebsd-security@FreeBSD.ORG, bugtraq@netspace.org Subject: Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE Message-ID: <Pine.BSF.3.91.971121123958.235N-100000@panda.hilink.com.au> In-Reply-To: <Pine.BSF.3.96.971120181102.12215A-100000@cyrus.watson.org>
index | next in thread | previous in thread | raw e-mail
On Thu, 20 Nov 1997, Robert Watson wrote:
> Adding a rule for the interface denying packets from oneself appears to
> defend against the new attack.
>
> This rule worked:
> 03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0
> Where 128.2.91.57 is the host's IP address on device ed0.
>
> Adding this to rc.firewall on FreeBSD is also a good idea. Multi-homed
> hosts require one entry per device, needless to say.
With terminal servers which have IP addresses which move from interface
to interface, the following rules are more generic:
----------------------------------------------
#!/bin/sh
/sbin/ipfw add 1 allow ip from any to any via lo0
for ip in 127.0.0.1 192.2.3.4 192.2.3.6 192.7.8.9
do
/sbin/ipfw add 2 deny log ip from $ip to any in
done
-----------------------------------------------
The above will prevent all self-spoofing attacks. The posted (and
merged) fix in tcp_input.c will not prevent attacks where packets are
formed to go from one interface to another on a multi-homed machine.
I have not verified that the multi-homed attack works, but my guess is
that it would.
Sigh. I had made a start on reducing vulnerability to this sort of thing
in rc.firewall, but I had only got as far as 127.0.0.0/8 and had to get
back to money-earning work. Looks like I should finish the job.
Danny
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.971121123958.235N-100000>