From owner-freebsd-net Mon Dec 18 9:26: 9 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 09:26:02 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 9FE3137B400; Mon, 18 Dec 2000 09:26:01 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 5752B3E4B; Mon, 18 Dec 2000 18:26:00 +0100 (CET) Date: Mon, 18 Dec 2000 18:26:00 +0100 From: Jesper Skriver To: Kris Kennaway , Poul-Henning Kamp Cc: security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218182600.C1856@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm trying to find out what to to now regarding this. To summarize. PHK committed my original patch, this patch have the following functionality - When a ICMP administrative prohibited is recieved, it zap's all TCP sessions in SYN-SENT state matching the source and destination IP addresses and TCP port numbers in the IP header + 8 bytes from the ICMP packet. - It does not match against TCP sequence number - disabled by default Yesterday I summitted a new diff, with the following changes to the above. - Matches against the TCP sequence number in the IP header + 8 bytes from the ICMP packet, against the last unacknowledged packet in the TCP session matching the source and destination IP addresses and TCP port numbers, these must be equal, thus it only matches if the ICMP unreachable is for the last sent packet. This is very secure, but in reality only has effect when setting up the session, as it doesn't work with multiple outstanding packets, it does work when setting up sessions, as the window will be zero here. this could be fixed by something like (*) - Check for SYN-SENT state removed - enabled by default What I will suggest at this point, is to do one of 2 things: 1) Extend the original diff PHK committed to check for sequence number, and enable it by default, trivial as it's part of the second diff. 2) Fix the second diff with the below code. For both I'll also add a extra check if the IP header in the ICMP packet has options set, and if it has, don't act on it, this applies to both, the reason for this is, if it has options set, we'll miss some (or all) of the 8 bytes from the TCP header, and thus, we'll not know port and sequence numbers. What do you prefer ? When I know this, I'll post a new diff for review. (*) replace if (tp->snd_una != tcp_sequence) { with /* * First check: if sequence numbers have wrapped, don't act on this. * Second -"- : if the sequence number from the ICMP packet is for a * "old" packet, it's probably spoofed, dont't act on this. * Third -"- : if the sequence number from the ICMP packet is for a * packet from the future, it's spoofed, don't act on this. */ if ((tp->snd_max < tp->snd_una) || (tcp_sequence < tp->snd_una) || \ (tp->snd_max < tcp_sequence)) { /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message