88465 2003-01-21 09:47 /82 rader/ Florian Lohoff <flo@rfc822.org>
Importerad: 2003-01-21 09:47 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3113>
Ärende: DoS against DHCP infrastructure with isc dhcrelay
------------------------------------------------------------
Hi, i discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured dhcp server(s) in case
of a malicious bootp packet. I have seen this on Linux Kernel 2.2 and
2.4 with the isc dhcp 3.0rc9 relay (I havent tested rc10 but the diff
shows no obvious fix).
In case the dhcp-relay receives a bootp request it will forward it
through LPF to the dhcp server using the broadcast mac address
ff:ff:ff:ff:ff:ff which causes the LPF to reflect the packet back
into the socket. To prevent loops the dhcrelay checks the giaddr to
be itself. In case it receives a packet with a set giaddr it will not
alter this address and forward the packet. On reception of that
packet the giaddr is not itself so it will continue forwarding.
My fix was to limit the hopcount which is counted up until 255 and
continues to loop. My impression of a hop count is that it should
get dropped when reached. There are possible other ways to prevent
looping (Dropping our mac address on reception, forwarding layer 2
unicast to the default gw).
With this workaround you can steer the amplification of the bootp
requests as for every malicious bootp packet hopcount relays happen.
--- dhcp3-3.0+3.0.1rc9/relay/dhcrelay.c Sat Apr 27 05:34:20 2002
+++ dhcp3-3.0+3.0.1rc9.flo/relay/dhcrelay.c Wed Oct 16 14:29:04 2002
@@ -88,6 +88,7 @@
did not match any known circuit ID. */
int missing_circuit_id = 0; /* Circuit ID option in matching RAI option
was missing. */
+int max_hop_count = 255; /* Maximum hop count */
/* Maximum size of a packet with agent options added. */
int dhcp_max_agent_option_packet_length = 576;
@@ -182,6 +183,15 @@
quiet_interface_discovery = 1;
} else if (!strcmp (argv [i], "-a")) {
add_agent_options = 1;
+ } else if (!strcmp (argv [i], "-c")) {
+ int hcount;
+ if (++i == argc)
+ usage ();
+ hcount = atoi(argv[i]);
+ if (hcount <=255)
+ max_hop_count=hcount;
+ else
+ usage ();
} else if (!strcmp (argv [i], "-A")) {
if (++i == argc)
usage ();
@@ -425,6 +435,8 @@
packet -> giaddr = ip -> primary_address;
if (packet -> hops != 255)
packet -> hops = packet -> hops + 1;
+ if (packet -> hops >= max_hop_count)
+ return;
/* Otherwise, it's a BOOTREQUEST, so forward it to all the
servers. */
This problem has been reported to the dhcp-server list on 20021016
Date: Wed, 16 Oct 2002 19:29:21 +0200
From: Florian Lohoff <flo@rfc822.org>
To: dhcp-server@isc.org
Subject: [PATCH] dhcp-relay patch to limit hop count
and to dhcp-bugs on 20021211
Date: Wed, 11 Dec 2002 22:48:38 +0100
From: Florian Lohoff <flo@rfc822.org>
To: dhcp-bugs@isc.org
Subject: [PATCH] bootp request loop in dhcp-relay
No answers so far ...
Flo
--
Florian Lohoff flo@rfc822.org +49-5201-669912
Heisenberg may have been here.
(88465) /Florian Lohoff <flo@rfc822.org>/-(Ombruten)
Bilaga (application/pgp-signature) i text 88466
88466 2003-01-21 09:47 /9 rader/ Florian Lohoff <flo@rfc822.org>
Importerad: 2003-01-21 09:47 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3114>
Bilaga (text/plain) till text 88465
Ärende: Bilaga till: DoS against DHCP infrastructure with isc dhcrelay
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+JXQ2Uaz2rXW+gJcRAuFnAKDM/eWIEegfIgEHsdYGTMNh9aH3pgCfeYQG
Z9zQE2MlEoCIXojqnw/kFl8=
=uDcH
-----END PGP SIGNATURE-----
(88466) /Florian Lohoff <flo@rfc822.org>/-----------