Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Dec 2000 10:26:13 -0600
From:      "Jacques A. Vidrine" <n@nectar.com>
To:        freebsd-net@FreeBSD.org
Cc:        Poul-Henning Kamp <phk@critter.freebsd.dk>, Kris Kennaway <kris@FreeBSD.org>, jesper@skriver.dk, security-officer@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID:  <20001217102613.B61976@spawn.nectar.com>
In-Reply-To: <20001217095914.A61976@spawn.nectar.com>; from n@nectar.com on Sun, Dec 17, 2000 at 09:59:14AM -0600
References:  <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
[Moved to freebsd-net]

On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote:
> On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote:
> > In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes:
> > >This sounds like a security hole since ICMP messages don't have a TCP
> > >sequence number meaning they can be trivially spoofed - am I wrong?
> > 
> > There was some discussion on the list, and the result was that the
> > default is this behaviour is "off" for now.
> > 
> > Since we only react to this in "SYN-SENT" I think the window of
> > opportunity is rather small in the first place...
> 
> [ I haven't looked at the patch ]
> 
> ICMP packets include the headers of the packets that `triggered' them,
> so we do have a sequence number.
> 
> I think the correct thing to do is to pull the source address,
> destination address, source port, destination port, and sequence number
> from the ICMP message, and zap the corresponding connection IFF the
> sequence number is in the window.

Jesper, I'm sorry I missed this thread on -hackers (I just caught up
using the archive). 

I'm glad this is off by default.  While clearly these ICMP messages need
to be handled, I think the approach taken has fatal flaws:
   (1) This opens a new DoS attack
   (2) These same messages are not handled for connections not in
       SYN-SENT: they ought to be

Are you planning on addressing these issues?  I don't think this code
should make it to -STABLE as-is.
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217102613.B61976>