Date: Mon, 8 Jan 2001 22:39:44 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Umesh Krishnaswamy <umesh@juniper.net> Cc: <freebsd-security@freebsd.org> Subject: Re: Spoofing multicast addresses Message-ID: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com> In-Reply-To: <3A5A6E08.1BAF3C@juniper.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote:
> Hi Folks,
>
> I was looking at the code for tcp_drop(). If there is a SYN flood attack,
> tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop
> in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker
> spoofs multicast IP addresses, then there will be a flood of RST packets being
> sent out by the machine.
>
> I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src
> address is multicast, if so drop without RST. Or maybe, even before that,
> tcp_input should not accept SYN packets from multicast IP addresses.
>
> Thanks.
> Umesh.
The check is done when the SYN is received, hence such a situation as you
describe should not be able to occur.
From tcp_input.c:
/*
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
* in_broadcast() should never return true on a received
* packet with M_BCAST not set.
*
* Packets with a multicast source address should also
* be discarded.
*/
if (m->m_flags & (M_BCAST|M_MCAST))
goto drop;
Mike "Silby" Silbersack
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0101082237330.11619-100000>