[5682] in bugtraq
Re: "LAND" Attack Update
daemon@ATHENA.MIT.EDU (Charles M. Hannum)
Sat Nov 22 20:37:56 1997
Date: Sat, 22 Nov 1997 14:47:20 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU>
From: "Charles M. Hannum" <mycroft@MIT.EDU>
X-To: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: mycroft@mit.edu's message of 22 Nov 1997 14:19:11 -0500
mycroft@mit.edu (Charles M. Hannum) writes:
>
> 2) A socket in LISTEN state is not initiating a connection attempt, so
> if it receives a SYN-only packet from itself, it *must* be a
> forgery. A self-connect would cause the socket to no longer be in
> LISTEN state before the SYN-only packet arrives. There's no point
> in sending a RST in this case, since we'd just be sending it to
> ourselves.
>
> (Actually, this change isn't really complete; in theory, if the
> LISTEN socket was bound to INADDR_ANY, then we should check whether
> the source address of the SYN was any of our local addreses, not
> just that it matches the destination. However, a failure to detect
> the attack at this point will merely generate an extra SYN+ACK that
> will be dropped by the first change.)
BTW, on a related note...
The FreeBSD hack to `fix' (or not allow) self-connects DOES NOT WORK
FOR MULTIHOMED HOSTS. It's still possible to crash a multihomed
FreeBSD system by locally running a program that connects a TCP socket
to itself.
