Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Dec 2000 13:50:34 -0800
From:      Peter Wemm <peter@netplex.com.au>
To:        Kris Kennaway <kris@FreeBSD.org>
Cc:        Poul-Henning Kamp <phk@critter.freebsd.dk>, jesper@skriver.dk, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h 
Message-ID:  <200012172150.eBHLoYL91037@mobile.wemm.org>
In-Reply-To: <20001217015414.A18302@citusc.usc.edu> 

next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:

> On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote:
> > >>   We currently does not react to ICMP administratively prohibited
> > >>   messages send by routers when they deny our traffic, this causes
> > >>   a timeout when trying to connect to TCP ports/services on a remote
> > >>   host, which is blocked by routers or firewalls.
> > >
> > >This sounds like a security hole since ICMP messages don't have a TCP
> > >sequence number meaning they can be trivially spoofed - am I wrong?
> >=20
> > There was some discussion on the list, and the result was that the
> > default is this behaviour is "off" for now.
> >=20
> > Since we only react to this in "SYN-SENT" I think the window of
> > opportunity is rather small in the first place...
> 
> The attack I'm thinking of involves flooding a machine with (possibly
> spoofed) ICMP packets which would effectively deny the ability for
> that machine to connect to its destination.

Well, sure, one could flood ICMP filtered messages with a source address of
212.242.40.147 (flutter.freebsd.dk), dest addr 216.136.204.21 (freefall),
dest port = 22 (ssh), but the missing part is the source port.  You still
have to do quite a bit of guessing/work to block phk from ssh'ing to
freefall.  In fact, it would probably end up looking more like a plain old
DoS in order to cover the RTT for all possible source ports that might be
in use.  (remember, you'd have to clobber correct the source port before
the SYN/SYN-ACK round trip, *and* you'd have to know that they were trying
to connect in the first place.)


> If this attack is possible then I'm unhappy having this code in
> FreeBSD, even disabled by default..RFC be damned :-)

Well, yes, but still hard... but not as hard as having to guess sequence
numbers as well.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
                         ^^^^^^^^^
What's this? :-)

Cheers,
-Peter
--
Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au
"All of this is for nothing if we don't go to the stars" - JMS/B5



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012172150.eBHLoYL91037>