Bugtraq mailing list archives
improper use of netfilter MIRROR target can cause DoS
From: Fabian Melzow <biop0b () web de>
Date: Wed, 22 Aug 2001 00:02:08 +0200 (CEST)
An improper use of the experimental netfilter MIRROR target, can be used to launch a DoS attack against two host, which mirror the same protocol on min. one port. An attacker can spoof packet´s, with this mirrored ports as source and destination and an high TTL, 255 for example. These packet´s are then mirrored on each side, until the TTL reached zero. In a LAN without a router there packet´s will never expire. We tried this attack over the Internet with one packet, where a TTL of 255 was set, between Germany and Austria, with the result, that these packet was 30 times wrapped around. Evil minds can use this attack to crash these hosts or eat up all the bandwidth, just by sending spoofed packets. It´s also documented in the Linux kernel help, but you won´t really think, that the TTL is not decremented, if you read there, that the source and destination address of the packets is reversed. Here are some possible workarounds: - Put a TTL decrement rule, for example iptables -p all -j TTL --ttl-dec 1 or better, a rule with a higher decrement before the MIRROR rule. - In addition set a strong limit on the packet´s which are mirrored. - Apply Michael´s little netfilter patch to ipt_MIRROR.c, which decrements the TTL by one. This patch can also be downloaded from http://www.unet.univie.ac.at/~a9900470/ipt_MIRROR-ttl.patch - Don't use the MIRROR target. Fabian Melzow Michael Bauer biop0b () web de mihi () gmx at
Attachment:
ipt_MIRROR-ttl.patch
Description: ipt_MIRROR-ttl.patch
Current thread:
- improper use of netfilter MIRROR target can cause DoS Fabian Melzow (Aug 21)
- Re: improper use of netfilter MIRROR target can cause DoS Harald Welte (Aug 26)