[5664] in bugtraq
Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE
daemon@ATHENA.MIT.EDU (Daniel O'Callaghan)
Fri Nov 21 02:21:00 1997
Date: Fri, 21 Nov 1997 12:49:05 +1100
Reply-To: "Daniel O'Callaghan" <danny@PANDA.HILINK.COM.AU>
From: "Daniel O'Callaghan" <danny@PANDA.HILINK.COM.AU>
X-To: Robert Watson <robert@cyrus.watson.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.971120181102.12215A-100000@cyrus.watson.org>
On Thu, 20 Nov 1997, Robert Watson wrote:
> Adding a rule for the interface denying packets from oneself appears to
> defend against the new attack.
>
> This rule worked:
> 03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0
> Where 128.2.91.57 is the host's IP address on device ed0.
>
> Adding this to rc.firewall on FreeBSD is also a good idea. Multi-homed
> hosts require one entry per device, needless to say.
With terminal servers which have IP addresses which move from interface
to interface, the following rules are more generic:
----------------------------------------------
#!/bin/sh
/sbin/ipfw add 1 allow ip from any to any via lo0
for ip in 127.0.0.1 192.2.3.4 192.2.3.6 192.7.8.9
do
/sbin/ipfw add 2 deny log ip from $ip to any in
done
-----------------------------------------------
The above will prevent all self-spoofing attacks. The posted (and
merged) fix in tcp_input.c will not prevent attacks where packets are
formed to go from one interface to another on a multi-homed machine.
I have not verified that the multi-homed attack works, but my guess is
that it would.
Sigh. I had made a start on reducing vulnerability to this sort of thing
in rc.firewall, but I had only got as far as 127.0.0.0/8 and had to get
back to money-earning work. Looks like I should finish the job.
Danny
