Bugtraq mailing list archives
Re: Watcher page moved (and ObBug)
From: fitz () wang com (Tom Fitzgerald)
Date: Fri, 31 Mar 95 18:23:02 EST
ICMP bombing is old, but still works. The problem is when a host receives an ICMP host (or net) unreachable, it has no way of verifying whether or not the packet came from a real gateway between it and the destination.
[...]
The fix is to not be sloppy. Even simply looking at the port numbers isn't enough verification as it would only require maybe 2000 spoofed ICMP host unreachable packets to shut down any connection from a machine to a known service. Instead, the sequence number could be compared to the sequence numbers sent and ACKd for the low end, and sequence numbers sent but NOT ACKd for on the high end. A simple range comparison...
Actually, ICMP net/host unreachables should never be used to shut down a connection in ESTABLISHED state at all, they should only affect connections in SYN-SENT state. In that state, of course, you're right, the port numbers and initial sequence number in the ICMP should be checked against the fields sent out in the SYN packet. RFC 1122 says that much (sec 4.2.3.9) but really even port-unreachables and protocol-unreachables should be ignored in an ESTABLISHED connection (this would be a violation of RFC 1122 as it stands). If we got a SYN-ACK at some time in the past, then the port and protocol were good then, and only a RST or timeout should tear down the connection. Interesting questions are: 1) should TCP check the sequence number to avoid RST bombs? 2) Should it check the sequence number to block ICMP redirect bombs? 3) Should it check the MAC source address of ICMP redirects against the ARP table entry of the sender? 4) Should routers discard received redirects that aren't addressed to the router? -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz () wang com
Current thread:
- Request to Join Mailing List, (continued)
- Request to Join Mailing List BRUCE.SHELDON () STATE MN US (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Re: Network Monitoring and Control (announcement) Christopher D. Heer (Mar 30)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Re: Network Monitoring and Control (announcement) root (Mar 30)
- Re: Network Monitoring and Control (announcement) Christopher Samuel (Mar 31)
- Watcher page moved (and ObBug) Mike Neuman (Mar 31)
- Re: Watcher page moved (and ObBug) Tom Fitzgerald (Mar 31)
- SATAN Download Location Bill Bradley (Mar 30)
- Re: SATAN Download Location Robert A. Pickering Jr. (Mar 31)
- TCP Sequence Number Prediction (here it is!!) Mike Neuman (Mar 30)
- Re: Network Monitoring and Control (announcement) Eric (Mar 30)
- Re: Network Monitoring and Control (announcement) root (Mar 31)
- Re: Network Monitoring and Control (announcement) Craig Metz (Mar 30)
- Re: Watcher is invasion of privacy [was: Network Monitoring and Control (announcement)] Kayvan Sylvan (Mar 31)
- Re: Network Monitoring and Control (announcement) Marc Tamsky (Mar 31)