[952] in SIPB_Linux_Development
Re: probs still with Linux/Kerberos
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Mar 1 11:29:14 1995
Date: Wed, 1 Mar 1995 11:28:56 +0500
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: "Charles M. Hannum" <mycroft@ai.mit.edu>
Cc: ghudson@MIT.EDU, linux-dev@MIT.EDU, netbsd-dev@MIT.EDU
In-Reply-To: Charles M. Hannum's message of Wed, 1 Mar 1995 05:07:32 -0500,
<199503011007.FAA05715@duality.gnu.ai.mit.edu>
Date: Wed, 1 Mar 1995 05:07:32 -0500
From: "Charles M. Hannum" <mycroft@ai.mit.edu>
If a UDP packet is rejected, there is no mechanism for detecting this,
except perhaps by listening to ICMP port unreachables. This might
allow for denial of service attacks by forging unreachable messages.
In addition, ECONNREFUSED doesn't make sense for a connectionless
protocol. Lastly, it would also have to be deferred and reported
later, since the only upper bound on when we would get the ICMP is
2*MSL, which is an unreasonably large time to execute the write()
call.
It's detected when you call recv() --- no timeout is necessary because
you either get a UDP packet back, or an ICMP port unreachable.
As for the denial of service attack angle, there's a much more
interesting attack you can perform by forging a UDP packet which looks
like it came from the KDC, but really didn't. Stupidly designed
programs that assume that a user's password is correct simply because
they could decrypt the packet sent back from the KDC will fall prey to
this attack. Ask Stan how he broke into Athena's master source machine
a few years ago, using this very attack.
If a Kerberos is used correctly, then forging the UDP packet is merely a
denial of service attack ---- and it's really impossible to defend
against denial of service attacks. I can think of hundreds of ways that
I can force a machine off the network if I really wanted to. Forge an
ARP if you're on the same subnet, bring up a PPP link in Miami, Florida
and negotiate a net 18 address (and watch half the regional networks on
the Internet believe resulting routing information, and who then route
all of net 18 down to Florida).....
- Ted
