From owner-cvs-all Sun Dec 17 11: 4:32 2000 From owner-cvs-all@FreeBSD.ORG Sun Dec 17 11:04:27 2000 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 4900C37B400; Sun, 17 Dec 2000 11:04:27 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id B36843E59; Sun, 17 Dec 2000 20:04:25 +0100 (CET) Date: Sun, 17 Dec 2000 20:04:25 +0100 From: Jesper Skriver To: "Louis A. Mamakos" Cc: Kris Kennaway , Poul-Henning Kamp , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217200425.D34282@skriver.dk> References: <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu> <200012171529.eBHFT4512582@whizzo.transsys.com> <20001217182056.B34282@skriver.dk> <20001217183016.C34282@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217183016.C34282@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 06:30:16PM +0100 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 17, 2000 at 06:30:16PM +0100, Jesper Skriver wrote: > > > At that point, the situation is essentially the same as a RST-based > > > attack and trying to predict TCP sequence numbers. > > > > Agree, will look more at this, and see if we can the tcp source and > > destination port numbers. > > A sniffer trace gives me the IP header + 8 bytes. The first 8 bytes of > the TCP header is source and destination ports + sequence number. > > Now, I need to find a way to decode these 8 bytes, and find the matching > sessions, and only zap those. > > I'll look more at this, but I probably won't have anything working until > later this week, as I have a few things I need to get done first. I had allready forgotten the code in question, I'm quite sure it does the right thing. sys/netinet/tcp_subr.c : tcp_ctlinput else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip)) notify = tcp_drop_syn_sent; else if (cmd == PRC_MSGSIZE) notify = tcp_mtudisc; else if (!PRC_IS_REDIRECT(cmd) && ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0)) return; if (ip) { th = (struct tcphdr *)((caddr_t)ip + (IP_VHL_HL(ip->ip_vhl) << 2)); in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, cmd, notify); } else in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify); When we get a PRC_UNREACH_PORT (*), the sysctl is set to 1, and the ICMP packet had a ip header included, we set the notify/"action" to 'tcp_drop_syn_sent' And then we call 'in_pcbnotify' with the both src/dst ip addresses and port numbers, and 'in_pcbnotify' will call 'tcp_drop_syn_sent' for the session matching those, and 'tcp_drop_syn_sent' will zap it, if it's in SYN-SENT state. The only thing I can see, we can do to improve the security of this, would be to match agaist the TCP sequence number too, I have a patch for this too, but I need to test it, will be back. (*) What a ICMP unreachable is "translated" into in sys/netinet/ip_icmp.c /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message