On Sun, Dec 17, 2000 at 10:26:13AM -0600, Jacques A. Vidrine wrote:
> [Moved to freebsd-net]
>
> On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote:
> > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote:
> > > In message <[EMAIL PROTECTED]>, Kris Kennaway writes:
> > > >This sounds like a security hole since ICMP messages don't have a TCP
> > > >sequence number meaning they can be trivially spoofed - am I wrong?
> > >
> > > There was some discussion on the list, and the result was that the
> > > default is this behaviour is "off" for now.
> > >
> > > Since we only react to this in "SYN-SENT" I think the window of
> > > opportunity is rather small in the first place...
> >
> > [ I haven't looked at the patch ]
> >
> > ICMP packets include the headers of the packets that `triggered' them,
> > so we do have a sequence number.
> >
> > I think the correct thing to do is to pull the source address,
> > destination address, source port, destination port, and sequence number
> > from the ICMP message, and zap the corresponding connection IFF the
> > sequence number is in the window.
>
> Jesper, I'm sorry I missed this thread on -hackers (I just caught up
> using the archive).
>
> I'm glad this is off by default. While clearly these ICMP messages need
> to be handled, I think the approach taken has fatal flaws:
> (1) This opens a new DoS attack
As said in my posting to [EMAIL PROTECTED], it allready match againt
TCP source and destination port numbers, and I'm testing a new version
which also matches against the TCP sequence number.
> (2) These same messages are not handled for connections not in
> SYN-SENT: they ought to be
Well, yes, but the real problem is when sessions are setup, the reason I
only configured it to affect sessions in SYN-SENT state, was to minimize
the risk for a DoS.
But it's a trivial fix to remove that check, what do you say Kris ? If
we match against
- ip source and destination addresses
- tcp source and destination ports
- tcp sequence number
Can we make it zap the sessions regardless of the current state ?
And perhaps enable it by default ?
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
