From owner-freebsd-security  Mon Jan  8 21:41:10 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7290137B401
	for <freebsd-security@FreeBSD.ORG>; Mon,  8 Jan 2001 21:40:49 -0800 (PST)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id VAA20680;
	Mon, 8 Jan 2001 21:40:27 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id VAA12983;
	Mon, 8 Jan 2001 21:40:26 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id VAA15528;
	Mon, 8 Jan 2001 21:40:26 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200101090540.VAA15528@salsa.gv.tsc.tdk.com>
Date: Mon, 8 Jan 2001 21:40:26 -0800
In-Reply-To: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com>
References:  <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Mike Silbersack <silby@silby.com>,
	Umesh Krishnaswamy <umesh@juniper.net>
Subject: Re: Spoofing multicast addresses
Cc: <freebsd-security@FreeBSD.ORG>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jan 8, 10:39pm, Mike Silbersack wrote:
} Subject: Re: Spoofing multicast addresses
} 
} On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote:
} 
} > Hi Folks,
} >
} > I was looking at the code for tcp_drop(). If there is a SYN flood attack,
} > tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop
} > in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker
} > spoofs multicast IP addresses, then there will be a flood of RST packets being
} > sent out by the machine.
} >
} > I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src
} > address is multicast, if so drop without RST. Or maybe, even before that,
} > tcp_input should not accept SYN packets from multicast IP addresses.
} >
} > Thanks.
} > Umesh.
} 
} The check is done when the SYN is received, hence such a situation as you
} describe should not be able to occur.
} 
} >From tcp_input.c:
} 
} 
}                 /*
}                  * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
}                  * in_broadcast() should never return true on a received
}                  * packet with M_BCAST not set.
}                  *
}                  * Packets with a multicast source address should also
}                  * be discarded.
}                  */
}                 if (m->m_flags & (M_BCAST|M_MCAST))
}                         goto drop;

That's the destination address check.  You left out the following:

#ifdef INET6
                if (isipv6) {
                        if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
                            IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
                                goto drop;
                } else 
#endif
                if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
                    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
                    ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
                        goto drop;

This is where it needs to be checked, otherwise the initial
SYN-ACK response would be sent to the multicast address.

This implementation isn't totally bulletproof, since it doesn't
check for local broadcast source addresses.  In a hostile
environment you'll probably want to explicity filter them with your
favorite packet filter.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message