From owner-freebsd-security  Fri Jan 21 19: 9:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mx2.x-treme.gr (mx2.x-treme.gr [212.120.192.15])
	by hub.freebsd.org (Postfix) with ESMTP id B5F59156AC
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 19:08:49 -0800 (PST)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Received: from hades.hell.gr (pat33.x-treme.gr [212.120.197.225])
	by mx2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id FAA29974;
	Sat, 22 Jan 2000 05:08:44 +0200
Received: (from charon@localhost)
	by hades.hell.gr (8.9.3/8.9.3) id EAA27390;
	Sat, 22 Jan 2000 04:46:38 +0200 (EET)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Date: Sat, 22 Jan 2000 04:46:38 +0200
From: Giorgos Keramidas <charon@hades.hell.gr>
To: Brett Glass <brett@lariat.org>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Warner Losh <imp@village.org>,
	Darren Reed <avalon@coombs.anu.edu.au>, security@FreeBSD.ORG
Subject: Re: stream.c worst-case kernel paths
Message-ID: <20000122044638.B27337@hades.hell.gr>
Reply-To: keramida@ceid.upatras.gr
References: <200001210417.PAA24853@cairo.anu.edu.au> <200001210642.XAA09108@harmony.village.org> <200001212321.PAA64674@apollo.backplane.com> <4.2.2.20000121163937.01a51dc0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <4.2.2.20000121163937.01a51dc0@localhost>
X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06  D6 21 2A C8 8C 16 C0 8E
X-Phone-Number: +30-94-6203692, +30-93-2886457
X-Address: Theodorou Kirinaiou 61, 26334 Patra, Greece
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jan 21, 2000 at 04:44:06PM -0700, Brett Glass wrote:
> At 04:21 PM 1/21/2000 , Matthew Dillon wrote:
> 
> > The ICMP_BANDLIM code does precisely this:  It detects a potential attack
> > and limits the response to it.  The current ICMP_BANDLIM code is limited
> > to two cases:
> >
> >   (1) ICMP responses
> >   (2) TCP packets sent to bad ports
> >
> > It would take perhaps ten seconds to extend the mechanism to cover other
> > TCP RST cases but the above two cases usually handle the vast majority of
> > these sorts of attacks so if this exploit code is stopped cold by
> > ICMP_BANDLIM, we're done.  If it isn't then we spend a few seconds
> > extending the cases covered by ICMP_BANDLIM and we are done.
> 
> I'd certainly like to see this extended to RST. We can optimize socket
> searching and prevent TCP from sending RSTs (or anything!) to multicast
> addresses at the same time. (We probably also want to block RECEIVED TCP
> packets from multicast addresses, as Wes suggests.)

So what needs to be done is:

(a) drop all multicast packets that reach the tcp stack.
(b) extend ICMP_BANDLIM to RST packets, and
(c) avoid sending anything tcp to a multicast address

Do I forget something here?

-- Giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message