From owner-freebsd-hackers Sat Nov 18 14:24: 4 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id 7365A37B479 for ; Sat, 18 Nov 2000 14:24:01 -0800 (PST) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.11.1/8.11.0) with ESMTP id eAIMNs747524; Sat, 18 Nov 2000 17:23:54 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <200011182223.eAIMNs747524@whizzo.transsys.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Mike Silbersack Cc: Jesper Skriver , Alfred Perlstein , hackers@FreeBSD.ORG X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: React to ICMP administratively prohibited ? References: In-reply-to: Your message of "Sat, 18 Nov 2000 11:04:55 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 18 Nov 2000 17:23:54 -0500 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > On Sat, 18 Nov 2000, Jesper Skriver wrote: > > > On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote: > > > > > > Probably not, what if one started a stream of spoofed ICMP lying > > > about the state of the route between the two machines? I have > > > the impression that the Linux box wouldn't be able to connect > > > because of this behavior. > > > > Correct, a attacker could in theory make sure we couldn't connect to > > a given remote box, but as I see it, it's mostly in teory. > > > > We could only react to this if we had a TCP session where we was > > waiting for a SYN/ACK from this specific host, this only leaves a very > > narrow window for a attacker to abuse, as he had to know both > > destination and time. > > > > Do you agree ? > > > > /Jesper > > Well, if you honor such messages, don't you have to honor them in the > middle of a connection too? Then you could cause a connection drop at any > time. No, you don't. This is a replay of discussions that happened literally 20 years ago as the first TCP implementations were being done. I believe the acceptable practice at the time was to honor an ICMP advisory (e.g., pass it to TCP to have it abort the pending connection) while in SYN-SENT state. That is, when initially trying to open the connection, give up sooner based on the ICMP message, rather than waiting for an ACK timeout. If an ICMP message associated with a connection was received after the connection passed to ESTABLISHED state, then you could choose to pass an advisory to the application, but not abort the connection. The Berkeley network stack did this, and a variety of applications would give up and die should they get an error return from a read() or write() system call on the connection, even though it was still alive. I think that behavior may have changed, but I haven't check anytime recently. At the time, the anticipated source of ICMP messages were Destination Unreachable advisories, provoked by either permanant or transient routing failures to the destination. > It would seem simpler to have the ISP in question use proper RST > responses, or just stop filtering totally. This behavior, while widely implemented, is a hack and a kludge. An intermediate network element isn't supposed to spoof source address and return responses on behalf of some other system. This only works for TCP, and only if you can see the headers (e.g., not encrypted with IPSEC). louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message