From owner-freebsd-hackers  Wed Dec  3 02:12:22 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id CAA26229
          for hackers-outgoing; Wed, 3 Dec 1997 02:12:22 -0800 (PST)
          (envelope-from owner-freebsd-hackers)
Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA26220
          for <freebsd-hackers@FreeBSD.ORG>; Wed, 3 Dec 1997 02:12:18 -0800 (PST)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
          by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id CAA14412; Wed, 3 Dec 1997 02:12:17 -0800 (PST)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id CAA21523;
	Wed, 3 Dec 1997 02:12:16 -0800 (PST)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id CAA14035;
	Wed, 3 Dec 1997 02:12:14 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199712031012.CAA14035@salsa.gv.tsc.tdk.com>
Date: Wed, 3 Dec 1997 02:12:14 -0800
In-Reply-To: Don Lewis <Don.Lewis@tsc.tdk.com>
       "fixes for "LAND" and various other TCP bugs" (Dec  2, 12:17am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Don Lewis <Don.Lewis@tsc.tdk.com>, freebsd-hackers@FreeBSD.ORG
Subject: Re: fixes for "LAND" and various other TCP bugs
Cc: fenner@PARC.XEROX.COM, avalon@coombs.anu.edu.au, jas@flyingfox.com
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

One minor correction below:

On Dec 2, 12:17am, Don Lewis wrote:
} Subject: fixes for "LAND" and various other TCP bugs

} @@ -1660,9 +1722,26 @@
}  	/*
}  	 * Generate an ACK dropping incoming segment if it occupies
}  	 * sequence space, where the ACK reflects our state.
} +	 *
} +	 * We can now skip the test for the RST flag since all
} +	 * paths to this code happen after packets containing
} +	 * RST have been dropped.
} +	 *
} +	 * In the SYN-RECEIVED state, don't send an ACK unless the
} +	 * segment we received passes the SYN-RECEIVED ACK test.
} +	 * If it fails send a RST.  This breaks the loop in the
} +	 * "LAND" DoS attack, and also prevents an ACK storm
} +	 * between two listening ports that have been sent forged
} +	 * SYN segments, each with the source address of the other.
}  	 */
} -	if (tiflags & TH_RST)
} -		goto drop;
} +	if (tp->t_state == TCPS_SYN_RECEIVED) {
} +		if ((tiflags & TH_ACK) == 0)
} +			goto drop;

I think this should fall through and let the ACK be set if the ACK
bit is off on incoming packet.  We could be getting data outside
our receive window that is accompanying the initial SYN, so we
should resend our SYN-ACK.  This will still break the ACK loop.

} +		else if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
} +		    SEQ_GT(ti->ti_ack, tp->snd_max))
} +			goto dropwithreset;
} +		/* else fall through */
} +	}
}  #ifdef TCPDEBUG
}  	if (so->so_options & SO_DEBUG)
}  		tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0);


			---  Truck