From owner-freebsd-pf@FreeBSD.ORG Thu Nov 17 06:44:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DB4F16A41F for ; Thu, 17 Nov 2005 06:44:42 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id A241D43D49 for ; Thu, 17 Nov 2005 06:44:41 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so86858wra for ; Wed, 16 Nov 2005 22:44:41 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=flnVoPDVpWmiTSTlnDhZSp+kVQpw0mkXQnYPVYHVNzN01d0iM2h5ksM9+5RG/7Py+kJyS4i5t6F3UEDVyvO+TX1BPKeVexfGfXQI2bHXrK6aPYfpAv8klwOvcO5QphXQ9kL2ZKRMTGbrHd6ssiXAD/ESg0iInsSGqOTDkn7yByE= Received: by 10.54.151.13 with SMTP id y13mr307597wrd; Wed, 16 Nov 2005 22:44:41 -0800 (PST) Received: by 10.54.80.14 with HTTP; Wed, 16 Nov 2005 22:44:41 -0800 (PST) Message-ID: Date: Thu, 17 Nov 2005 00:44:41 -0600 From: "Travis H." To: Daniel Hartmeier In-Reply-To: <20051108095903.GB6116@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com> <20051108095903.GB6116@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: PF "keep state" for ICMP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 06:44:42 -0000 (Any ICMP traffic is allowed back in after an outbound ICMP that keeps stat= e) > Assuming you're a malicious A, what do you gain, though? You're already > getting pinged by C, so you know it's there. You could already deliver > an arbitrary amount of reply packets. Fingerprinting sillyness? Oooh, a challenge in creative thinking! First, remember that src IPs are eminently spoofable. So no protection the= re. Next let's handle the issue of the IDs. They appear to be 16-bit values, so if the number sent out during a state expiry period is P, and the attacker sends Q responses, then we expect that a reply will get back in if PQ is close to 65536, and this assumes perfectly random IDs in both the outbound and inbound... i.e. a perfect world. Lemme see, anything that handled net/host unreach intelligently could be fooled into thinking C doesn't exist causing DoS... You could send net redirect messages to reroute traffic to arbitrary places= ... You could query the timestamp on A which may reveal system uptime and thus help distinguish between machines who may be behind NAT and appear to share same IP... The attacker could force the source host to fragment packets for C, which may do something interesting. At least it would reduce the bandwidth from A to C, but it may be a DoS since something in between may be dropping fragments. It could induce such short UDP/TCP fragments such that they don't contain src/dst port information, and thus are dropped by a firewall causing DoS... or possibly allocate reassembly buffers, which could cause DoS in pathological cases.... You could query the address (subnet) mask.... of the internal network. Not scandalous, but do outside hosts really need that information?=20 That's enough to get your subnet-directed broadcast address, and thus use your network as an amplifier. Hmm, nothing too earthshaking but lots of DoS possibilities and some information disclosure. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B