Date: Wed, 27 May 1998 12:39:30 +0200 From: sthaug@nethelp.no To: bag@sinbin.demos.su Cc: andrew@squiz.co.nz, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible DoS opportunity via ping implementation error? Message-ID: <9793.896265570@verdi.nethelp.no> In-Reply-To: Your message of "Wed, 27 May 1998 11:48:19 %2B0400 (MSD)" References: <199805270748.LAA23285@sinbin.demos.su>
next in thread | previous in thread | raw e-mail | index | archive | help
> > >I had a very interesting day today! I found out that FBSD (2.2.5R)
> > >machines will
> > >always respond to a broadcasted echo request. For example:
> >
> > This contradicts the CERT Advisory below which states that FreeBSD does not
> > have the problem.
> >
> > Either the CERT report is wrong, a problem has been introduced since, or
> > it's specific to the way you've set up your boxes.
>
> CERT report is wrong
> i check -current (Apr 23) and found that it respond to broadcast ping,
> default net.inet.icmp.bmcastecho=1, but it alsow respond to broadcast
> after sysctl -w net.inet.icmp.bmcastecho=0
> the good news is that in both case it not respond from aliases :)
The problematic code is the following, from the icmp_input() routine in
sys/netinet/ip_icmp.c:
case ICMP_ECHO:
if (!icmpbmcastecho
&& (m->m_flags & (M_MCAST | M_BCAST)) != 0
&& IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
icmpstat.icps_bmcastecho++;
break;
}
icp->icmp_type = ICMP_ECHOREPLY;
goto reflect;
The icmpbmcastecho variable is set according to net.inet.icmp.bmcastecho.
I guess setting net.inet.icmp.bmcastecho=0 is *meant* to turn off both
multicast and broadcast echo, however, this line
&& IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
only tests on whether the destination address is a multicast address (ie.
class D), when in reality it also needs to test whether it's one of the
acceptable broadcast addresses for this host (ie. all ones, for every
interface: all ones in host part, all zeros in host part, etc). Such a
test is done by the in_broadcast() routine in sys/netinet/in.c.
I found it just as logical to simply remove the whole test, but I'll let
somebody else decide on whether this is the correct fix. I also changed
the initialization of the icmpbmcastecho variable, so it now defaults to
off (no multicast/broadcast echo). The following patch is against
2.2-980506-SNAP (ip_icmp.c,v 1.22.2.2), but should work equally well
against FreeBSD-current.
Late breaking news: I just checked -current on ftp.cdrom.com, and it
now has the IN_MULTICAST test removed. Still initializes icmpbmcastecho
to 1, though. I think it *should* default to 0 (off).
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
----------------------------------------------------------------------
*** ip_icmp.c.orig Mon Aug 25 18:33:02 1997
--- ip_icmp.c Wed May 27 12:20:55 1998
***************
*** 71,77 ****
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
! static int icmpbmcastecho = 1;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
0, "");
--- 71,77 ----
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
! static int icmpbmcastecho = 0;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
0, "");
***************
*** 377,384 ****
case ICMP_ECHO:
if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0
! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
icmpstat.icps_bmcastecho++;
break;
}
--- 377,383 ----
case ICMP_ECHO:
if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
***************
*** 387,394 ****
case ICMP_TSTAMP:
if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0
! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
icmpstat.icps_bmcasttstamp++;
break;
}
--- 386,392 ----
case ICMP_TSTAMP:
if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcasttstamp++;
break;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9793.896265570>