Date: Sun, 17 Dec 2000 20:04:25 +0100 From: Jesper Skriver <jesper@skriver.dk> To: "Louis A. Mamakos" <louie@TransSys.COM> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Poul-Henning Kamp <phk@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217200425.D34282@skriver.dk> In-Reply-To: <20001217183016.C34282@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 06:30:16PM %2B0100 References: <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu> <200012171529.eBHFT4512582@whizzo.transsys.com> <20001217182056.B34282@skriver.dk> <20001217183016.C34282@skriver.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 06:30:16PM +0100, Jesper Skriver wrote:
> > > At that point, the situation is essentially the same as a RST-based
> > > attack and trying to predict TCP sequence numbers.
> >
> > Agree, will look more at this, and see if we can the tcp source and
> > destination port numbers.
>
> A sniffer trace gives me the IP header + 8 bytes. The first 8 bytes of
> the TCP header is source and destination ports + sequence number.
>
> Now, I need to find a way to decode these 8 bytes, and find the matching
> sessions, and only zap those.
>
> I'll look more at this, but I probably won't have anything working until
> later this week, as I have a few things I need to get done first.
I had allready forgotten the code in question, I'm quite sure it does
the right thing.
sys/netinet/tcp_subr.c : tcp_ctlinput
else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip))
notify = tcp_drop_syn_sent;
else if (cmd == PRC_MSGSIZE)
notify = tcp_mtudisc;
else if (!PRC_IS_REDIRECT(cmd) &&
((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0))
return;
if (ip) {
th = (struct tcphdr *)((caddr_t)ip
+ (IP_VHL_HL(ip->ip_vhl) << 2));
in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport,
cmd, notify);
} else
in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify);
When we get a PRC_UNREACH_PORT (*), the sysctl is set to 1, and the ICMP
packet had a ip header included, we set the notify/"action" to
'tcp_drop_syn_sent'
And then we call 'in_pcbnotify' with the both src/dst ip addresses and
port numbers, and 'in_pcbnotify' will call 'tcp_drop_syn_sent' for the
session matching those, and 'tcp_drop_syn_sent' will zap it, if it's in
SYN-SENT state.
The only thing I can see, we can do to improve the security of this,
would be to match agaist the TCP sequence number too, I have a patch for
this too, but I need to test it, will be back.
(*) What a ICMP unreachable is "translated" into in sys/netinet/ip_icmp.c
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217200425.D34282>