From owner-freebsd-security Mon Jan 8 20:40: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 69FD337B401 for ; Mon, 8 Jan 2001 20:39:45 -0800 (PST) Received: (qmail 11621 invoked by uid 1000); 9 Jan 2001 04:39:44 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Jan 2001 04:39:44 -0000 Date: Mon, 8 Jan 2001 22:39:44 -0600 (CST) From: Mike Silbersack To: Umesh Krishnaswamy Cc: Subject: Re: Spoofing multicast addresses In-Reply-To: <3A5A6E08.1BAF3C@juniper.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote: > Hi Folks, > > I was looking at the code for tcp_drop(). If there is a SYN flood attack, > tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop > in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker > spoofs multicast IP addresses, then there will be a flood of RST packets being > sent out by the machine. > > I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src > address is multicast, if so drop without RST. Or maybe, even before that, > tcp_input should not accept SYN packets from multicast IP addresses. > > Thanks. > Umesh. The check is done when the SYN is received, hence such a situation as you describe should not be able to occur. From tcp_input.c: /* * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN * in_broadcast() should never return true on a received * packet with M_BCAST not set. * * Packets with a multicast source address should also * be discarded. */ if (m->m_flags & (M_BCAST|M_MCAST)) goto drop; Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message