From owner-freebsd-security  Fri Jan 21 13:35:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 161141542B
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 13:35:32 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA24085;
	Fri, 21 Jan 2000 14:35:19 -0700 (MST)
Message-Id: <4.2.2.20000121143004.01908960@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Fri, 21 Jan 2000 14:35:16 -0700
To: Jared Mauch <jared@puck.nether.net>
From: Brett Glass <brett@lariat.org>
Subject: Re: stream.c worst-case kernel paths
Cc: Wes Peters <wes@softweyr.com>, TrouBle <trouble@netquick.net>,
	security@FreeBSD.ORG
In-Reply-To: <20000121162059.Y30675@puck.nether.net>
References: <4.2.2.20000121140941.01a68b30@localhost>
 <200001211415.BAA12772@cairo.anu.edu.au>
 <20000121.16082400@bastille.netquick.net>
 <3888C7D2.D82BE362@softweyr.com>
 <4.2.2.20000121140941.01a68b30@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

That's what I thought. This is really pathological. Why do we allow 
ourselves to send a RST to a multicast address, or accept an ACK from 
one? Could lower layers of the stack flag the ACK as coming from
a multicast address so that we can nuke it before (or as) it hits
the TCP layer? I can imagine a whole potential family of exploits
involving multicast addresses and TCP.

--Brett

At 02:20 PM 1/21/2000 , Jared Mauch wrote:
   
>         In the multicast world you only send UDP (or other types), you
>do not send tcp packets out, because you can't do a three-way
>handshake.
>
>         - jared
>
>On Fri, Jan 21, 2000 at 02:10:23PM -0700, Brett Glass wrote:
> > At 01:55 PM 1/21/2000 , Wes Peters wrote:
> > 
> > >Be warned if you're using the exploit program: if you select random
> > >addresses, it may (will) pick multicast IP addresses, which may have
> > >unintended side affects on your network.  Augh!
> > 
> > Geeze. Is it even LEGAL to ACK multicast packets?
> > 
> > --Brett
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>-- 
>Jared Mauch  | pgp key available via finger from jared@puck.nether.net
>clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
>END OF LINE  |



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message