Re: Watcher page moved (and ObBug)

[fitz () wang com (Tom Fitzgerald)]

> ICMP bombing is old, but still works. The problem is when a host receives
> an ICMP host (or net) unreachable, it has no way of verifying whether or
> not the packet came from a real gateway between it and the destination.
[...]
> The fix is to not be sloppy. Even simply looking at the port numbers isn't
> enough verification as it would only require maybe 2000 spoofed ICMP host
> unreachable packets to shut down any connection from a machine to a known
> service. Instead, the sequence number could be compared to the sequence
> numbers sent and ACKd for the low end, and sequence numbers sent but NOT
> ACKd for on the high end. A simple range comparison...

Actually, ICMP net/host unreachables should never be used to shut down a
connection in ESTABLISHED state at all, they should only affect connections
in SYN-SENT state.  In that state, of course, you're right, the port
numbers and initial sequence number in the ICMP should be checked against
the fields sent out in the SYN packet.

RFC 1122 says that much (sec 4.2.3.9) but really even port-unreachables and
protocol-unreachables should be ignored in an ESTABLISHED connection (this
would be a violation of RFC 1122 as it stands).  If we got a SYN-ACK at
some time in the past, then the port and protocol were good then, and only
a RST or timeout should tear down the connection.

Interesting questions are: 1) should TCP check the sequence number to avoid
RST bombs?  2) Should it check the sequence number to block ICMP redirect
bombs?  3) Should it check the MAC source address of ICMP redirects against
the ARP table entry of the sender?  4) Should routers discard received
redirects that aren't addressed to the router?

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz () wang com