Date: Mon, 8 Jan 2001 21:40:26 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Mike Silbersack <silby@silby.com>, Umesh Krishnaswamy <umesh@juniper.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Spoofing multicast addresses Message-ID: <200101090540.VAA15528@salsa.gv.tsc.tdk.com> In-Reply-To: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com> References: <Pine.BSF.4.31.0101082237330.11619-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 8, 10:39pm, Mike Silbersack wrote:
} Subject: Re: Spoofing multicast addresses
}
} On Mon, 8 Jan 2001, Umesh Krishnaswamy wrote:
}
} > Hi Folks,
} >
} > I was looking at the code for tcp_drop(). If there is a SYN flood attack,
} > tcp_drop is called to drop the connection on a listen queue overflow. tcp_drop
} > in turn sends an RST packet if it is in the SYN_RCVD state. If the attacker
} > spoofs multicast IP addresses, then there will be a flood of RST packets being
} > sent out by the machine.
} >
} > I am unclear on the RFCs, but shouldn't the tcp_drop code check if the src
} > address is multicast, if so drop without RST. Or maybe, even before that,
} > tcp_input should not accept SYN packets from multicast IP addresses.
} >
} > Thanks.
} > Umesh.
}
} The check is done when the SYN is received, hence such a situation as you
} describe should not be able to occur.
}
} >From tcp_input.c:
}
}
} /*
} * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
} * in_broadcast() should never return true on a received
} * packet with M_BCAST not set.
} *
} * Packets with a multicast source address should also
} * be discarded.
} */
} if (m->m_flags & (M_BCAST|M_MCAST))
} goto drop;
That's the destination address check. You left out the following:
#ifdef INET6
if (isipv6) {
if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
goto drop;
} else
#endif
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
ip->ip_src.s_addr == htonl(INADDR_BROADCAST))
goto drop;
This is where it needs to be checked, otherwise the initial
SYN-ACK response would be sent to the multicast address.
This implementation isn't totally bulletproof, since it doesn't
check for local broadcast source addresses. In a hostile
environment you'll probably want to explicity filter them with your
favorite packet filter.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101090540.VAA15528>