Date: Sun, 17 Dec 2000 15:58:26 +0100 From: Jesper Skriver <jesper@skriver.dk> To: Kris Kennaway <kris@FreeBSD.org> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217155826.A16170@skriver.dk> In-Reply-To: <20001217015414.A18302@citusc.usc.edu>; from kris@FreeBSD.org on Sun, Dec 17, 2000 at 01:54:14AM -0800 References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217015414.A18302@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 01:54:14AM -0800, Kris Kennaway wrote: > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > >> We currently does not react to ICMP administratively prohibited > > >> messages send by routers when they deny our traffic, this causes > > >> a timeout when trying to connect to TCP ports/services on a remote > > >> host, which is blocked by routers or firewalls. > > > > > >This sounds like a security hole since ICMP messages don't have a TCP > > >sequence number meaning they can be trivially spoofed - am I wrong? > > > > There was some discussion on the list, and the result was that the > > default is this behaviour is "off" for now. > > > > Since we only react to this in "SYN-SENT" I think the window of > > opportunity is rather small in the first place... > > The attack I'm thinking of involves flooding a machine with (possibly > spoofed) ICMP packets which would effectively deny the ability for > that machine to connect to its destination. If we imagine machine A wants to connect to machine B, and someone floods machine A with spoofed ICMP unreachable packets, telling machine A that it cannot reach machine B, then you would have a DOS. But as PHK says, it's disabled by default, and the above is a very special case, the "bad guy" needs to know where machine A wants to connect to, and it needs to be a continious flood, making it easy to track down the offender. > If this attack is possible then I'm unhappy having this code in > FreeBSD, even disabled by default..RFC be damned :-) It solves problems when trying to connects to hosts behind packet filters and/or firewalls, and I can add that Linux has this "feature" enabled by default, atleast since kernel v2.0 which was the oldest box I could find. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217155826.A16170>