[22366] in bugtraq
improper use of netfilter MIRROR target can cause DoS
daemon@ATHENA.MIT.EDU (Fabian Melzow)
Tue Aug 21 20:08:21 2001
Message-ID: <XFMail.20010822000208.biop0b@web.de>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_=XFMail.1.4.7p2.Linux:20010822000144:5003=_"
Date: Wed, 22 Aug 2001 00:02:08 +0200 (CEST)
From: Fabian Melzow <biop0b@web.de>
To: bugtraq@securityfocus.com
--_=XFMail.1.4.7p2.Linux:20010822000144:5003=_
Content-Type: text/plain; charset=us-ascii
An improper use of the experimental netfilter MIRROR target,
can be used to launch a DoS attack against two host, which
mirror the same protocol on min. one port.
An attacker can spoof packetīs, with this mirrored ports as source and
destination and an high TTL, 255 for example.
These packetīs are then mirrored on each side, until the TTL reached zero.
In a LAN without a router there packetīs will never expire.
We tried this attack over the Internet with one packet, where a TTL of 255
was set, between Germany and Austria, with the result, that these packet was
30 times wrapped around.
Evil minds can use this attack to crash these hosts or eat up all the bandwidth,
just by sending spoofed packets.
Itīs also documented in the Linux kernel help, but you wonīt really think,
that the TTL is not decremented, if you read there, that the source and
destination address of the packets is reversed.
Here are some possible workarounds:
- Put a TTL decrement rule, for example
iptables -p all -j TTL --ttl-dec 1
or better, a rule with a higher decrement before the MIRROR rule.
- In addition set a strong limit on the packetīs which are mirrored.
- Apply Michaelīs little netfilter patch to ipt_MIRROR.c,
which decrements the TTL by one. This patch can also be
downloaded from
http://www.unet.univie.ac.at/~a9900470/ipt_MIRROR-ttl.patch
- Don't use the MIRROR target.
Fabian Melzow Michael Bauer
biop0b@web.de mihi@gmx.at
--_=XFMail.1.4.7p2.Linux:20010822000144:5003=_
Content-Disposition: attachment; filename="ipt_MIRROR-ttl.patch"
Content-Transfer-Encoding: base64
Content-Description: ipt_MIRROR-ttl.patch
Content-Type: application/octet-stream;
name=ipt_MIRROR-ttl.patch; SizeOnDisk=230
ZGlmZiBpcHRfTUlSUk9SLmMgaXB0X01JUlJPUi10dGwuYyAKL3Vzci9zcmMvbGludXgvbmV0L2lw
djQvbmV0ZmlsdGVyL2lwdF9NSVJST1IuYwojIHRoaXMgcGF0Y2ggY2F1c2VzIGlwdF9NSVJST1Ig
dG8gZGVjcmVtZW50IHR0bCB3aGVuIG1pcnJvcmluZwojIHdyaXR0ZW4gYnkgTWljaGFlbCBCYXVl
ciA8bWloaUBnbXguYXQ+IG5vIHdhcnJhbnRpZXMKCjczYTc0Cj4gICAgICAgICBpcGgtPnR0bC0t
Owo=
--_=XFMail.1.4.7p2.Linux:20010822000144:5003=_--
End of MIME message
