NetBSD Problem Report #30550

From www@netbsd.org  Sat Jun 18 15:11:42 2005
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
	id DE76563B116; Sat, 18 Jun 2005 15:11:42 +0000 (UTC)
Message-Id: <20050618151142.DE76563B116@narn.netbsd.org>
Date: Sat, 18 Jun 2005 15:11:42 +0000 (UTC)
From: eravin@panix.com
Reply-To: eravin@panix.com
To: gnats-bugs@netbsd.org
Subject: denial-of-service attack using ICMP "need to fragment" messages and MTU set to 1500
X-Send-Pr-Version: www-1.0

>Number:         30550
>Category:       kern
>Synopsis:       denial-of-service attack using ICMP "need to fragment" messages and MTU set to 1500
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 18 15:12:00 +0000 2005
>Closed-Date:    Fri Feb 09 20:05:02 +0000 2018
>Last-Modified:  Fri Feb 09 20:05:02 +0000 2018
>Originator:     Ed Ravin
>Release:        2.0
>Organization:
PANIX Public Access Networks Corp
>Environment:
NetBSD victimwebserver 2.0 NetBSD 2.0 (PANIX-WEB) #1: Thu Jan 20 22:05:35 EST 2005  root@trinity.nyc.access.net:/devel/netbsd/2.0/src/sys/arch/i386/compile/PANIX-WEB i386
>Description:
We were hit by a DoS attack we haven't heard of before, which might be
remediable by updating the way NetBSD handles ICMP "Need to Fragment"
unreachable messages.

The attacker opened up connections to the victim Web server on port 80,
and began fetching the home page.  When the first packet of the
response was sent out (a full 1500 byte packet), the attacker sent this
response:

  20:35:00.988340 IP attacker.example.com > victimwebserver.example.net: icmp 36
: attacker.example.com unreachable - need to frag (mtu 1500)

So the victim's Web server changed the MTU size for that connection from 1500
to 1500, and then tried sending the packet again.  And again.  And again.
With multiple connections open, and by constantly responding to every TCP
packet with another ICMP unreachable as shown above, the attacker was able
to cause the victim to send a large amount of data, wasting our network
bandwidth and filling up mbufs on the victim machine.

Perhaps NetBSD could ignore the "need to fragment" message if the MTU
size asked for matches the existing size?  And/or put some rate limiting
on how many times it will act on the unreachable message?

More data (including partial tcpdump logs) is available upon request.

>How-To-Repeat:

>Fix:
As a workaround, we've blocked all "ICMP unreachable - need to fragment" packets at our border routers.  We're not happy with this, since it means PMTUD is broken everywhere.

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Fri, 09 Feb 2018 20:05:02 +0000
State-Changed-Why:
This issue got described in

https://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

And NetBSD implemented the counter-measures 12 years ago
(tcp_subr.c::r1.192).

So close this PR... belatedly...


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.