Date: Wed, 19 Aug 1998 03:02:53 +0100 From: "Edwin Woudt" <edwin-ml@woudt.nl> To: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Gateway/firewall denial of service Message-ID: <E0z8wbJ-0001Gf-00@cal007109.student.utwente.nl>
next in thread | raw e-mail | index | archive | help
I use a FreeBSD 2.2.7 machine as a gateway and firewall between a
local network and a campus-wide network. Accidentally I discovered a
way to change the routing table of the local network on the gateway
from the campus network.
The problem is that de kernel accepts ARP broadcasts on one interface
of which the ip-adresses are on another interface and so making a
machine on the local network unreachable for the gateway.
I tried to find the bug in the source code, but i'm not a C expert. I
hope somebody who is a better programmer would go trough the code and
find the bug. As the code I thought to be related looked very old,
this might be a problem in all versions of FreeBSD and even other BSD-
operating systems.
In more detail:
This machine has two 3C509b card, of which ep0 is connected to the
campus network and ep1 is connected to the local network.
+---------------+ +-----------------+
| Win98 machine | |FreeBSD 2.2.7 |
| |---------|<-192.168.1.1 |
| 192.168.1.2 | |130.89.221.199 ->|-----Campus network
+---------------+ +-----------------+
# ifconfig -a
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 130.89.221.199 netmask 0xffff0000 broadcast
130.89.255.255
ether 00:a0:24:c7:7c:6e
ep1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffff0000 broadcast 192.168.255.255
ether 00:20:af:5c:6b:ea
Normally the entry for the win98 machine in the routing table
(netstat -r) looks like this:
Destination Gateway Flags Refs Use Netif Expire
192.168.1.2 0:80:ad:71:3c:fc UHLW 6 366621 ep1 1197
But if an other computer with the same ip address (192.168.1.2)
connects to the campus network, i get the following kernel message:
/kernel: arp: 192.168.1.2 moved from 00:80:ad:71:3c:fc to
00:00:e8:2f:c6:be
After that the routing table is like this:
Destination Gateway Flags Refs Use Netif Expire
192.168.1.2 0:00:e8:2f:c6:be UHLW 6 366621 ep1 1197
So, the interface is still the same, but the MAC address has changed
to that of a network card on the campus network, which is on
interface ep0. Result: 192.168.1.2 is unreachable on ep1....
This happend because a wrong configured machine connected to the
campus network. But if someone wants, one can use this to make a
complete local network (not just 1 machine) unreachable.
Suggestion: Make it impossible to change a routing table entry on one
interface trough another infterface.
Edwin Woudt
=====================================================================
Edwin Woudt ("`-''-/").___..--''"`-._ Calslaan 7-109
`6_ 6 ) `-. ( ).`-.__.`) 7522 MH Enschede
edwin@woudt.nl (_Y_.)' ._ ) `._ `. ``-..-' The Netherlands
_..`--'_..-_/ /--'_.' ,'
ICQ: 1156462 (il),-'' (li),' ((!.-' +31 53 489 5010
=====================================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0z8wbJ-0001Gf-00>