Re: FreeBSD's RST validation

[tristan+-eyjgmd () ETHEREAL NET (Tristan Horn)]

On Sun, Aug 30, 1998 at 06:22:26PM -0700, James Snow wrote:
> Be aware that this individual used this attack on my machine late last
> night, disconnecting all of my users without warning, and certainly
> without asking for permission.

As before, I apologize for disconnecting those three random IRC sessions,
though I don't think that's relevant to this forum.

> He also did not, to my knowledge, report this to the FreeBSD team before
> posting this here.

Yeah, I only Bcc'd security-officer () freebsd org.  Sorry, prior experience
led me to believe that it would take a day or so before the message would
be approved...

Probably not entirely FreeBSD-specific, anyway.

On Sun, Aug 30, 1998 at 07:09:46PM -0700, Diane Bruce wrote:
> I hate people who mime their email for the plain text part.

OK, I won't sign this one.

> Port 6666 is quite commonly used for autoconnect, as well as 31337...
> Not really very much that can be done from userland really...

I'm told that 5555 is something of a standard these days too.

If you can effectively keep /both/ ports unknown, i.e. bind to a random
port for outbound server connections and get your uplink to set up a
special port (firewalled from portscanners), you'd be in good shape.

However, I doubt most people would be willing to go to such trouble, and
I think it takes enough additional brainpower to keep it from being
exploited much before the patch is released anyway.

The offending code seems to be around /usr/src/sys/netinet/tcp_input.c:809
for sockets in SYN_SENT state, and :1138 for sockets in most of the other
states.  (Looking at 2.2.6-RELEASE: $Id: tcp_input.c,v 1.54.2.7...)

On a similar topic, has anyone explored the possibility of injecting
routes or doing other evil things with the endlses information that ciscos
provide in sh ip bgp nei?  Most route-views type places seem to allow it.

Tris