[5696] in bugtraq
Re: "LAND" Attack Update
daemon@ATHENA.MIT.EDU (Charles M. Hannum)
Mon Nov 24 23:35:21 1997
Date: Sun, 23 Nov 1997 03:34:07 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU>
From: "Charles M. Hannum" <mycroft@MIT.EDU>
X-To: Don Lewis <Don.Lewis@tsc.tdk.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Don Lewis's message of Sat, 22 Nov 1997 22:43:30 -0800
[CCing this to bugtraq to prevent further confusion...]
Don Lewis <Don.Lewis@tsc.tdk.com> writes:
>
> On Nov 22, 2:19pm, "Charles M. Hannum" wrote:
> }
> } The changes we've made in NetBSD to deal with the `land' attack are:
> }
> } 1) If a socket in LISTEN state receives a SYN+ACK packet, then send a
> } RST and drop the packet.
I suppose I was being imprecise here. If we created a TCP control
block when replying to a SYN-only packet, then it would be in
SYN-RECEIVED state. However, we don't. What we actually find when we
do the lookup is the LISTEN socket. If you have a TCP control block
for embryonic connections, then you should do the `drop with reset'
for either LISTEN or SYN-RECEIVED state.
> I've heard reports of rumors of problems caused by sending SYN+ACK
> packets to LISTENing sockets (and there is supposed to be a note about
> this in "TCP/IP Illustrated Volume 3", which I don't yet have), but in
> what way is the following code inadequate?
> [...]
> case TCPS_LISTEN: {
> [...]
> if (tiflags & TH_ACK)
> goto dropwithreset;
The original 4.4BSD (and earlier) code finds a different socket at
this point, which is in SYN-RECEIVED state. The above code doesn't
handle that case.
