Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Dec 2000 20:04:25 +0100
From:      Jesper Skriver <jesper@skriver.dk>
To:        "Louis A. Mamakos" <louie@TransSys.COM>
Cc:        Kris Kennaway <kris@FreeBSD.ORG>, Poul-Henning Kamp <phk@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, security-officer@FreeBSD.ORG
Subject:   Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID:  <20001217200425.D34282@skriver.dk>
In-Reply-To: <20001217183016.C34282@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 06:30:16PM %2B0100
References:  <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu> <200012171529.eBHFT4512582@whizzo.transsys.com> <20001217182056.B34282@skriver.dk> <20001217183016.C34282@skriver.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 06:30:16PM +0100, Jesper Skriver wrote:

> > > At that point, the situation is essentially the same as a RST-based
> > > attack and trying to predict TCP sequence numbers.
> > 
> > Agree, will look more at this, and see if we can the tcp source and
> > destination port numbers.
> 
> A sniffer trace gives me the IP header + 8 bytes. The first 8 bytes of
> the TCP header is source and destination ports + sequence number.
> 
> Now, I need to find a way to decode these 8 bytes, and find the matching
> sessions, and only zap those.
> 
> I'll look more at this, but I probably won't have anything working until
> later this week, as I have a few things I need to get done first.

I had allready forgotten the code in question, I'm quite sure it does
the right thing.

sys/netinet/tcp_subr.c : tcp_ctlinput

        else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip))
                notify = tcp_drop_syn_sent;
        else if (cmd == PRC_MSGSIZE)
                notify = tcp_mtudisc;
        else if (!PRC_IS_REDIRECT(cmd) &&
                 ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0))
                return;
        if (ip) {
                th = (struct tcphdr *)((caddr_t)ip
                                       + (IP_VHL_HL(ip->ip_vhl) << 2));
                in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
                        cmd, notify);
        } else
                in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify);

When we get a PRC_UNREACH_PORT (*), the sysctl is set to 1, and the ICMP
packet had a ip header included, we set the notify/"action" to 
'tcp_drop_syn_sent'

And then we call 'in_pcbnotify' with the both src/dst ip addresses and
port numbers, and 'in_pcbnotify' will call 'tcp_drop_syn_sent' for the
session matching those, and 'tcp_drop_syn_sent' will zap it, if it's in 
SYN-SENT state.

The only thing I can see, we can do to improve the security of this,
would be to match agaist the TCP sequence number too, I have a patch for
this too, but I need to test it, will be back.

(*) What a ICMP unreachable is "translated" into in sys/netinet/ip_icmp.c

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek            @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217200425.D34282>