linux, säkerhet

6950732 2001-08-22 00:02 +0200  /47 rader/ Fabian Melzow <biop0b@web.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-22  02:08  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18895>
Ärende: improper use of netfilter MIRROR target can cause DoS
------------------------------------------------------------

An improper use of the experimental netfilter MIRROR target,
can be used to launch a DoS attack against two host, which
mirror the same protocol on min. one port.

An attacker can spoof packet´s, with this mirrored ports as source and
destination and an high TTL, 255 for example.

These packet´s are then mirrored on each side, until the TTL reached
zero.  In a LAN without a router there packet´s will never expire.

We tried this attack over the Internet with one packet, where a TTL
of 255 was set, between Germany and Austria, with the result, that
these packet was 30 times wrapped around.

Evil minds can use this attack to crash these hosts or eat up all the
bandwidth, just by sending spoofed packets.

It´s also documented in the Linux kernel help, but you won´t really
think, that the TTL is not decremented, if you read there, that the
source and destination address of the packets is reversed.


Here are some possible workarounds:

- Put a TTL decrement rule, for example  

   iptables -p all -j TTL --ttl-dec 1

  or better, a rule with a higher decrement before the MIRROR rule.

- In addition set a strong limit on the packet´s which are mirrored.

- Apply Michael´s little netfilter patch to ipt_MIRROR.c,
  which decrements the TTL by one. This patch can also be
  downloaded from
  http://www.unet.univie.ac.at/~a9900470/ipt_MIRROR-ttl.patch
  
- Don't use the MIRROR target. 



Fabian Melzow           Michael Bauer
biop0b@web.de           mihi@gmx.at
(6950732) /Fabian Melzow <biop0b@web.de>/-(Ombruten)
Bilaga (application/octet-stream) i text 6950733
6950733 2001-08-22 00:02 +0200  /8 rader/ Fabian Melzow <biop0b@web.de>
Bilagans filnamn: "ipt_MIRROR-ttl.patch"
Importerad: 2001-08-22  02:08  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18896>
Bilaga (text/plain) till text 6950732
Ärende: Bilaga (ipt_MIRROR-ttl.patch) till: improper use of netfilter MIRROR target can cause DoS
------------------------------------------------------------
diff ipt_MIRROR.c ipt_MIRROR-ttl.c 
/usr/src/linux/net/ipv4/netfilter/ipt_MIRROR.c
# this patch causes ipt_MIRROR to decrement ttl when mirroring
# written by Michael Bauer <mihi@gmx.at> no warranties

73a74
>         iph->ttl--;
(6950733) /Fabian Melzow <biop0b@web.de>/-----------