From owner-freebsd-security Tue Jul 25 23: 5: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from listproc.corp.loudcloud.com (olly.loudcloud.com [208.50.142.100]) by hub.freebsd.org (Postfix) with ESMTP id 3082737BE16 for ; Tue, 25 Jul 2000 23:04:47 -0700 (PDT) (envelope-from yardley@uiuc.edu) Received: from LIQUID-TP.uiuc.edu (liquid.geek.loudcloud.com [192.168.0.24]) by listproc.corp.loudcloud.com (8.10.1/8.10.1) with ESMTP id e6Q64ZS29275; Tue, 25 Jul 2000 23:04:36 -0700 (PDT) Message-Id: <4.3.2.7.2.20000725223522.00b5dcc0@students.uiuc.edu> X-Sender: yardley@students.uiuc.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jul 2000 22:39:09 -0700 To: Wes Peters From: Tim Yardley Subject: Re: How defend from stream2.c attack? Cc: Don Lewis , Maksimov Maksim , freebsd-security@FreeBSD.ORG In-Reply-To: <397E783B.ADB8162A@softweyr.com> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >With FreeBSD prior to 3.4/4.0 it didn't matter if you were attempting to >use multicast or not, a stream attack using random multicast source >addresses would turn your FreeBSD box into an attack reflector on every >attached interface. Urk! Correct. The blocking of multicast statement was meant for people that DO NOT use multicast. If you use multicast, then you cannot block it at the router. In otherwords, block * with multicast addresses. You could always just block tcp with multicast addresses, and that will not affect any real multicast traffic. >That no longer happens; the code now realizes that a TCP packet from a >multicast address is malformed and dumps it on the floor. Any sane stack would drop the multicast packets on the floor immediately if they are TCP packets. That is basically what the patch did. Since the notion of TCP multicast is not even possible, that is the correct thing to do. /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ | Tim Yardley (yardley@uiuc.edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message