[Moved to freebsd-net]
On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote:
> On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote:
> > In message <[EMAIL PROTECTED]>, Kris Kennaway writes:
> > >This sounds like a security hole since ICMP messages don't have a TCP
> > >sequence number meaning they can be trivially spoofed - am I wrong?
> >
> > There was some discussion on the list, and the result was that the
> > default is this behaviour is "off" for now.
> >
> > Since we only react to this in "SYN-SENT" I think the window of
> > opportunity is rather small in the first place...
>
> [ I haven't looked at the patch ]
>
> ICMP packets include the headers of the packets that `triggered' them,
> so we do have a sequence number.
>
> I think the correct thing to do is to pull the source address,
> destination address, source port, destination port, and sequence number
> from the ICMP message, and zap the corresponding connection IFF the
> sequence number is in the window.
Jesper, I'm sorry I missed this thread on -hackers (I just caught up
using the archive).
I'm glad this is off by default. While clearly these ICMP messages need
to be handled, I think the approach taken has fatal flaws:
(1) This opens a new DoS attack
(2) These same messages are not handled for connections not in
SYN-SENT: they ought to be
Are you planning on addressing these issues? I don't think this code
should make it to -STABLE as-is.
--
Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
