From owner-freebsd-security  Fri Jan 21 19: 8:54 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mx2.x-treme.gr (mx2.x-treme.gr [212.120.192.15])
	by hub.freebsd.org (Postfix) with ESMTP id CFD8B14CF8
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 19:08:47 -0800 (PST)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Received: from hades.hell.gr (pat33.x-treme.gr [212.120.197.225])
	by mx2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id FAA29971;
	Sat, 22 Jan 2000 05:08:39 +0200
Received: (from charon@localhost)
	by hades.hell.gr (8.9.3/8.9.3) id FAA27608;
	Sat, 22 Jan 2000 05:03:37 +0200 (EET)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Date: Sat, 22 Jan 2000 05:03:37 +0200
From: Giorgos Keramidas <charon@hades.hell.gr>
To: Brett Glass <brett@lariat.org>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Warner Losh <imp@village.org>,
	Darren Reed <avalon@coombs.anu.edu.au>, security@FreeBSD.ORG
Subject: Re: stream.c worst-case kernel paths
Message-ID: <20000122050337.A27571@hades.hell.gr>
Reply-To: keramida@ceid.upatras.gr
References: <200001210417.PAA24853@cairo.anu.edu.au> <200001210642.XAA09108@harmony.village.org> <4.2.2.20000121163937.01a51dc0@localhost> <200001220035.QAA65392@apollo.backplane.com> <4.2.2.20000121174940.019bd1a0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <4.2.2.20000121174940.019bd1a0@localhost>
X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06  D6 21 2A C8 8C 16 C0 8E
X-Phone-Number: +30-94-6203692, +30-93-2886457
X-Address: Theodorou Kirinaiou 61, 26334 Patra, Greece
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jan 21, 2000 at 05:51:26PM -0700, Brett Glass wrote:
> At 05:35 PM 1/21/2000 , Matthew Dillon wrote:
> 
> > I wouldn't worry about multicast addresses for several reasons.  First,
> > very few machines actually run a multicast router.  No router, no
> > problem.

This is not the case with some ISPs though.  Speaking for my own country
(i.e. Greece), several major Internet Service Providers that I've tried have
been constantly sending igmp and pim packets even to dialup links.

This probably means that not a lot of people know about multicast, and those
that are playing around with it around these places have neglected
configuring their Cisco routers properly.

> I'm not so sure. Using a multicast address as the source address for an
> attack (like this one) does seem to be tying systems up into little tiny
> pretzel knots as they try to send RSTs to those addresses.

I think that dropping multicast packets dead on the floor if and when they
reach the tcp stack is the best thing to do.  Sending to multicast addresses
seems to be a problem too, if I got you right Brett.

-- Giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message