Date: Thu, 20 Nov 1997 12:15:39 -0500 (EST) From: spork <spork@super-g.com> To: Matt Dillon <dillon@best.net> Cc: GNATS Management <gnats@FreeBSD.ORG>, freebsd-questions@FreeBSD.ORG Subject: Re: kern/5103: FreeBSD kernel lockup from spoofed TCP packet Message-ID: <Pine.BSF.3.96.971120121442.12713A-100000@super-g.inch.com> In-Reply-To: <199711201231.EAA01449@flea.best.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a nasty one, care to share your hack-patch? Charles Sprickman spork@super-g.com ---- "I'm not a prophet or a stone-age man Just a mortal with potential of a superman I'm living on" -DB On Thu, 20 Nov 1997, Matt Dillon wrote: > > >Number: 5103 > >Category: kern > >Synopsis: It appears to be possible to lockup a FreeBSD box with a spoofed TCP packet. Two of our shell machines were attacked tonight. > >Confidential: no > >Severity: critical > >Priority: high > >Responsible: freebsd-bugs > >State: open > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Thu Nov 20 04:40:01 PST 1997 > >Last-Modified: > >Originator: Matt Dillon > >Organization: > Best Internet Communications > >Release: FreeBSD 2.2.5-STABLE i386 > >Environment: > > FreeBSD 2.2.5 running on PPro 200's > > >Description: > > Two of our machines were locked up tonight by what looks like a > spoofed TCP packet. The characteristics of the packet were that > both the source and destination address were set to the machine's > ethernet IP address, and the same tcp port was used for both source > and destination. > > We were able to core both machines from the debugger. Both kernels > were stuck in an endless ip_intr loop. It appeared that the tcp > stack transmitted a packet which caused the higher level ip_intr > to loop on tcp_input. An infinite loop ensued. > > >How-To-Repeat: > > Not sure. > > >Fix: > > not sure about this. I hacked our kernels to discard any packet > where ti_src.s_addr == ti_dst.s_addr && ti_sport == ti_dport. I > am hoping this will prevent the attack from looping the code. > > -Matt > > >Audit-Trail: > >Unformatted: >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971120121442.12713A-100000>