On Fri, 26 Jan 2007, Brian Candler wrote: > > They are taking the position that it is upside down to require an > > unprivileged source port. What are the issues? > > The code is here in /usr/src/usr.sbin/inetd/inetd.c: > > if (port < IPPORT_RESERVED || port == NFS_PORT) > goto bad; > > The only reason I can think of is to avoid your host being used as a > reflector to attack services on other hosts.
Yes, I believe you're right. Thanks for refreshing my memory. This is a heuristic to stifle such attacks. The only breakage I've seen is that the "timedc(8)" program of another BSD uses a privileged source port for a minor feature (detecting hosts that are whole days off in time). The NetBSD inetd deals with the DoS problem by checking "port" against an array of likely problem source ports. > For example: attacker sends a UDP packet to you on port 37, with spoofed > source IP address and source port 53. Without this check, inetd would send > its response back to the spoofed IP address on port 53, so it looks like you > are trying to attack someone else's DNS server. > > In the case of UDP 'time', the attacker can't control the response you send, > but can predict it. Other services launched from inetd might give the > attacker more direct control over the packet sent, with the most extreme > example being "echo" :-) Yes, two hosts talking UDP to each other's echo datagram ports is probably the archtypical DoS -- of the hosts and any network they're on. Chargen is pretty vicious, too. Doubtless this and other similar attacks also account for the rate-limiting -R switch (and its default) to inetd. > The assumption here of course is that the only services worth attacking are > on ports <1024 or 2049. This still doesn't prevent your box being used as a Quite. NetBSD makes the similar assumption that those are the only "commonly" attacked/attacking services. I notice that in OpenBSD, this policy leads to encouraging honest clients to use unreserved ports, which then can lead to sometimes eliminating the setuid requirement for clients that non-root has a reason to run. So it's a double win. > DoS repeater, but that's a pretty fundamental limitation of simple UDP > request-response exchanges. Ah, for the happy days when people played nice, and an attack consisted of a manually typed password, and an unlisted modem telephone number was a serious security measure, and a source port <1024 meant you probably knew the sender personally. Thanks for your comments! Dave
