From owner-freebsd-security Mon Jan 8 17:49:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from red.juniper.net (red.juniper.net [207.17.136.137]) by hub.freebsd.org (Postfix) with ESMTP id 803C437B401 for ; Mon, 8 Jan 2001 17:49:01 -0800 (PST) Received: from juniper.net (umesh-bsd.juniper.net [172.17.12.70]) by red.juniper.net (8.9.3/8.9.3) with ESMTP id RAA10690 for ; Mon, 8 Jan 2001 17:48:56 -0800 (PST) Message-ID: <3A5A6E08.1BAF3C@juniper.net> Date: Mon, 08 Jan 2001 17:48:56 -0800 From: Umesh Krishnaswamy Organization: Juniper Networks X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Spoofing multicast addresses Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Folks, I was looking at the code for tcp_drop(). If there is a SYN flood attack, tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker spoofs multicast IP addresses, then there will be a flood of RST packets being sent out by the machine. I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src address is multicast, if so drop without RST. Or maybe, even before that, tcp_input should not accept SYN packets from multicast IP addresses. Thanks. Umesh. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message