Date: Sun, 17 Dec 2000 13:50:34 -0800 From: Peter Wemm <peter@netplex.com.au> To: Kris Kennaway <kris@FreeBSD.org> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, jesper@skriver.dk, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <200012172150.eBHLoYL91037@mobile.wemm.org> In-Reply-To: <20001217015414.A18302@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > >> We currently does not react to ICMP administratively prohibited > > >> messages send by routers when they deny our traffic, this causes > > >> a timeout when trying to connect to TCP ports/services on a remote > > >> host, which is blocked by routers or firewalls. > > > > > >This sounds like a security hole since ICMP messages don't have a TCP > > >sequence number meaning they can be trivially spoofed - am I wrong? > >=20 > > There was some discussion on the list, and the result was that the > > default is this behaviour is "off" for now. > >=20 > > Since we only react to this in "SYN-SENT" I think the window of > > opportunity is rather small in the first place... > > The attack I'm thinking of involves flooding a machine with (possibly > spoofed) ICMP packets which would effectively deny the ability for > that machine to connect to its destination. Well, sure, one could flood ICMP filtered messages with a source address of 212.242.40.147 (flutter.freebsd.dk), dest addr 216.136.204.21 (freefall), dest port = 22 (ssh), but the missing part is the source port. You still have to do quite a bit of guessing/work to block phk from ssh'ing to freefall. In fact, it would probably end up looking more like a plain old DoS in order to cover the RTT for all possible source ports that might be in use. (remember, you'd have to clobber correct the source port before the SYN/SYN-ACK round trip, *and* you'd have to know that they were trying to connect in the first place.) > If this attack is possible then I'm unhappy having this code in > FreeBSD, even disabled by default..RFC be damned :-) Well, yes, but still hard... but not as hard as having to guess sequence numbers as well. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (GNU/Linux) ^^^^^^^^^ What's this? :-) Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012172150.eBHLoYL91037>