From owner-freebsd-security@FreeBSD.ORG  Mon Mar  1 09:42:51 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8329C16A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  1 Mar 2004 09:42:51 -0800 (PST)
Received: from relay.pair.com (relay.pair.com [209.68.1.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 0778D43D5A
	for <freebsd-security@freebsd.org>;
	Mon,  1 Mar 2004 09:42:51 -0800 (PST)	(envelope-from silby@silby.com)
Received: (qmail 92245 invoked from network); 1 Mar 2004 17:42:48 -0000
Received: from niwun.pair.com (HELO localhost) (209.68.2.70)
  by relay.pair.com with SMTP; 1 Mar 2004 17:42:48 -0000
X-pair-Authenticated: 209.68.2.70
Date: Mon, 1 Mar 2004 11:42:47 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Sheldon Hearn <sheldonh@starjuice.net>
In-Reply-To: <20040301103615.GB97298@starjuice.net>
Message-ID: <20040301113726.T17968@odysseus.silby.com>
References: <6.0.3.0.0.20040229182702.07a67a68@209.112.4.2>   
	<20040301103615.GB97298@starjuice.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: mbuf vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2004 17:42:51 -0000


On Mon, 1 Mar 2004, Sheldon Hearn wrote:

> On (2004/02/29 19:03), Mike Silbersack wrote:
>
> > There is no way to fix this issue without kernel modifications.  A fix has
> > been committed to -current, someone on the security team can probably
> > provide information on when the MFC will be appearing.
>
> Owch.
>
> The advisory says the DoS works by sending many out-of-sequence packets.
>
> Do you know how out-of-sequence do the packets have to be?  I ask
> because if they have to be significantly staggered, then my IPFilter
> firewall might offer me some protection and I can start breathing again.
>
> Ciao,
> Sheldon.

A specially constructed stateful firewall could be constructed to deal
with this DoS, but I'm certain that there's no way you could use ipf or
anything preexisting to do the job.  The main reason the DoS works is not
because it is sending awkward packets, but rather because we use one mbuf
cluster for each segment received.  Since the smallest possible segment is
one byte, and a mbuf cluster is 2048 bytes, that's a pretty nasty
multiplicative factor.

Would anyone feel better if I mention that it's generally pretty easy to
DoS a box anyway?

Mike "Silby" Silbersack