Date: Sun, 17 Dec 2000 01:54:14 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Kris Kennaway <kris@FreeBSD.org>, jesper@skriver.dk, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217015414.A18302@citusc.usc.edu> In-Reply-To: <17340.977045052@critter>; from phk@critter.freebsd.dk on Sun, Dec 17, 2000 at 10:24:12AM %2B0100 References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
--EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > >> We currently does not react to ICMP administratively prohibited > >> messages send by routers when they deny our traffic, this causes > >> a timeout when trying to connect to TCP ports/services on a remote > >> host, which is blocked by routers or firewalls. > > > >This sounds like a security hole since ICMP messages don't have a TCP > >sequence number meaning they can be trivially spoofed - am I wrong? >=20 > There was some discussion on the list, and the result was that the > default is this behaviour is "off" for now. >=20 > Since we only react to this in "SYN-SENT" I think the window of > opportunity is rather small in the first place... The attack I'm thinking of involves flooding a machine with (possibly spoofed) ICMP packets which would effectively deny the ability for that machine to connect to its destination. If this attack is possible then I'm unhappy having this code in FreeBSD, even disabled by default..RFC be damned :-) Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PI1GWry0BWjoQKURAqSgAJ46FTATPpgWeZ8rSJn5LOIdCLjvWACgzqpx +2AZaBqXhUEpxSsas2bgX6o= =mYnJ -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217015414.A18302>