From owner-freebsd-questions  Tue Nov 25 19:52:57 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id TAA11906
          for questions-outgoing; Tue, 25 Nov 1997 19:52:57 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from cc00ms.unity.ncsu.edu (cc00ms.unity.ncsu.edu [152.1.1.35])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA11901
          for <freebsd-questions@freebsd.org>; Tue, 25 Nov 1997 19:52:54 -0800 (PST)
          (envelope-from fwang2@eos.ncsu.edu)
Received: from loki.csc.ncsu.edu (loki.csc.ncsu.edu [152.1.213.138])
          by cc00ms.unity.ncsu.edu (8.8.4/US19Dec96) with SMTP
	  id WAA11683 for <freebsd-questions@freebsd.org>; Tue, 25 Nov 1997 22:53:07 -0500 (EST)
Message-ID: <347B9D12.6BBC@eos.ncsu.edu>
Date: Tue, 25 Nov 1997 22:52:50 -0500
From: Feiyi Wang <fwang2@eos.ncsu.edu>
Organization: NCSU Shang Research Group
X-Mailer: Mozilla 3.01Gold (X11; I; SunOS 5.4 sun4m)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: land attack - a clarification
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Hi, 

I saw a lot postings on "land" attacks. One thing is that you can't
always expect it will "crash" a machine. Actually, what land attack did
is a "self-connection", which could cause TCP enter a infinite loop,
therefore degrade the system performance. Some OSes, (for example, win95
, will crash. I never test that, but the author claimed so). Fix is
simple - discard the self-connection packet in tcp_input.c. A patch for
FreeBSD was posted in newsgroup by Joerg a few days ago, attached as
following -

/Feiyi


In the CVS tree.

Index: /sys/netinet/tcp_input.c
===================================================================
RCS file: /home/cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -u -r1.65 -r1.66
--- tcp_input.c 1997/11/07 08:53:21     1.65
+++ tcp_input.c 1997/11/20 20:04:49     1.66
@@ -315,6 +315,19 @@
                goto drop;
        }
 #endif /* TUBA_INCLUDE */
+
+       /*
+        * Reject attempted self-connects.  XXX This actually masks
+        * a bug elsewhere, since self-connect should work.
+        * However, a urrently-active DoS attack in the Internet
+        * sends a phony self-connect request which causes an infinite
+        * loop.
+        */
+       if (ti->ti_src.s_addr == ti->ti_dst.s_addr
+           && ti->ti_sport == ti->ti_dport) {
+               tcpstat.tcps_badsyn++;
+               goto drop;
+       }
 
        /*
         * Check that TCP offset makes sense,