NetBSD Problem Report #42243
From yasuoka@iij.ad.jp Wed Oct 28 14:27:30 2009
Return-Path: <yasuoka@iij.ad.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id D94D063B8B6
for <gnats-bugs@gnats.NetBSD.org>; Wed, 28 Oct 2009 14:27:30 +0000 (UTC)
Message-Id: <20091028.232449.227179676.yasuoka@iij.ad.jp>
Date: Wed, 28 Oct 2009 23:24:49 +0900 (JST)
From: Yasuoka Masahiko <yasuoka@iij.ad.jp>
To: gnats-bugs@gnats.NetBSD.org
Subject: "net.inet.icmp.bmcastecho" support
>Number: 42243
>Category: kern
>Synopsis: "net.inet.icmp.bmcastecho" support
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Oct 28 14:30:00 +0000 2009
>Closed-Date: Sun Aug 14 19:30:46 +0000 2011
>Last-Modified: Sun Aug 14 19:30:46 +0000 2011
>Originator: yasuoka@iij.ad.jp
>Release: NetBSD current
>Organization:
Internet Initiative Japan Inc.
>Environment:
System: NetBSD yasuoka-nb-c.iij.ad.jp 5.99.21 NetBSD 5.99.21 (GENERIC) #4: Wed Oct 28 21:33:24 JST 2009 yasuoka@yasuoka-nb-c.iij.ad.jp:/source/yasuoka/NetBSD/current/sys/arch/i386/compile/obj/GENERIC i386
Architecture: i386
Machine: i386
>Description:
As "CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks"
http://www.cert.org/advisories/CA-1998-01.html ,
| III. Solution
| A. Solutions for the Intermediary
(snip)
| 2. Configure your operating system to prevent the machine from
| responding to ICMP packets sent to IP broadcast addresses.
The advisory has been issued 11 years ago, but NetBSD still responds
to broadcast ICMP packets.
A patch is attached at ">Fix:" section, I hope NetBSD applies this
patch to fix the issue.
- The patch came from FreeBSD.
- It disables responding ICMP echo or timestamp request to the
broadcast.
- This behavior can be changed by the sysctl
net.inet.icmp.bmcastecho
- netstat(1) shows the packet count that are dropped by this issue.
>How-To-Repeat:
Ping to your local IP network's all 0 broadcast, NetBSD hosts respond
the ping.
For example,
|------+-------------+-----------| local network (192.168.0.0/24)
|.101 |.102
+----+-----+ +----+-----+
| NetBSD-A | | NetBSD-B |
+----------+ +----------+
- NetBSD-A has 192.168.0.101/24
- NetBSD-B has 192.168.0.102/24
- On NetBSD-A, ping to 192.168.0.0
=> NetBSD-B answers the ping.
>Fix:
Apply following patch. The patch is for NetBSD-current 2009-10-28.
Index: sys/netinet/icmp_var.h
===================================================================
RCS file: /cvsroot/NetBSD/src/sys/netinet/icmp_var.h,v
retrieving revision 1.27
diff -b -u -p -r1.27 icmp_var.h
--- sys/netinet/icmp_var.h 12 Apr 2008 05:58:22 -0000 1.27
+++ sys/netinet/icmp_var.h 28 Oct 2009 12:57:35 -0000
@@ -57,7 +57,10 @@
/* space for ICMP_MAXTYPE + 1 (19) counters */
#define ICMP_STAT_PMTUCHG 46 /* path MTU changes */
-#define ICMP_NSTATS 47
+#define ICMP_STAT_BMCASTECHO 47 /* b/mcast echo requests dropped */
+#define ICMP_STAT_BMCASTTSTAMP 48 /* b/mcast tstamp requests dropped */
+
+#define ICMP_NSTATS 49
#if ICMP_MAXTYPE != 18
#error ICMP_MAXTYPE too large for ICMP statistics
@@ -75,7 +78,8 @@
#define ICMPCTL_REDIRACCEPT 5 /* Accept redirects from routers */
#define ICMPCTL_REDIRTIMEOUT 6 /* Remove routes added via redirects */
#define ICMPCTL_STATS 7 /* ICMP statistics */
-#define ICMPCTL_MAXID 8
+#define ICMPCTL_BMCASTECHO 8 /* allow broad/mult-cast echo */
+#define ICMPCTL_MAXID 9
#define ICMPCTL_NAMES { \
{ 0, 0 }, \
@@ -86,6 +90,7 @@
{ "rediraccept", CTLTYPE_INT }, \
{ "redirtimeout", CTLTYPE_INT }, \
{ "stats", CTLTYPE_STRUCT }, \
+ { "bmcastecho", CTLTYPE_INT }, \
}
#ifdef _KERNEL
Index: sys/netinet/ip_icmp.c
===================================================================
RCS file: /cvsroot/NetBSD/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.121
diff -b -u -p -r1.121 ip_icmp.c
--- sys/netinet/ip_icmp.c 16 Sep 2009 15:23:05 -0000 1.121
+++ sys/netinet/ip_icmp.c 28 Oct 2009 12:57:35 -0000
@@ -142,6 +142,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v
*/
int icmpmaskrepl = 0;
+int icmpbmcastecho = 0;
#ifdef ICMPPRINTFS
int icmpprintfs = 0;
#endif
@@ -542,6 +543,11 @@ icmp_input(struct mbuf *m, ...)
break;
case ICMP_ECHO:
+ if (!icmpbmcastecho &&
+ (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
+ ICMP_STATINC(ICMP_STAT_BMCASTECHO);
+ break;
+ }
icp->icmp_type = ICMP_ECHOREPLY;
goto reflect;
@@ -550,6 +556,11 @@ icmp_input(struct mbuf *m, ...)
ICMP_STATINC(ICMP_STAT_BADLEN);
break;
}
+ if (!icmpbmcastecho &&
+ (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
+ ICMP_STATINC(ICMP_STAT_BMCASTTSTAMP);
+ break;
+ }
icp->icmp_type = ICMP_TSTAMPREPLY;
icp->icmp_rtime = iptime();
icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */
@@ -1055,6 +1066,14 @@ sysctl_netinet_icmp_setup(struct sysctll
sysctl_net_inet_icmp_stats, 0, NULL, 0,
CTL_NET, PF_INET, IPPROTO_ICMP, ICMPCTL_STATS,
CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "bmcastecho",
+ SYSCTL_DESCR("Respond to ICMP_ECHO or ICMP_TIMESTAMP "
+ "message to the broadcast or multicast"),
+ NULL, 0, &icmpbmcastecho, 0,
+ CTL_NET, PF_INET, IPPROTO_ICMP, ICMPCTL_BMCASTECHO,
+ CTL_EOL);
}
void
Index: usr.bin/netstat/inet.c
===================================================================
RCS file: /cvsroot/NetBSD/src/usr.bin/netstat/inet.c,v
retrieving revision 1.91
diff -b -u -p -r1.91 inet.c
--- usr.bin/netstat/inet.c 14 Sep 2009 10:36:50 -0000 1.91
+++ usr.bin/netstat/inet.c 28 Oct 2009 12:57:35 -0000
@@ -582,6 +582,8 @@ icmp_stats(u_long off, const char *name)
p(ICMP_STAT_TOOSHORT, "\t%llu message%s < minimum length\n");
p(ICMP_STAT_CHECKSUM, "\t%llu bad checksum%s\n");
p(ICMP_STAT_BADLEN, "\t%llu message%s with bad length\n");
+ p(ICMP_STAT_BMCASTECHO, "\t%llu multicast echo request%s ignored\n");
+ p(ICMP_STAT_BMCASTTSTAMP, "\t%llu multicast timestamp request%s ignored\n");
for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++)
if (icmpstat[ICMP_STAT_INHIST + i] != 0) {
if (first) {
Index: share/man/man7/sysctl.7
===================================================================
RCS file: /cvsroot/NetBSD/src/share/man/man7/sysctl.7,v
retrieving revision 1.27
diff -b -u -p -r1.27 sysctl.7
--- share/man/man7/sysctl.7 5 Oct 2009 10:47:52 -0000 1.27
+++ share/man/man7/sysctl.7 28 Oct 2009 12:57:35 -0000
@@ -983,6 +983,7 @@ The currently defined protocols and name
.It icmp maskrepl integer yes
.It icmp rediraccept integer yes
.It icmp redirtimeout integer yes
+.It icmp bmcastecho integer yes
.It ip allowsrcrt integer yes
.It ip anonportmax integer yes
.It ip anonportmin integer yes
@@ -1192,6 +1193,9 @@ ICMP redirect.
This defaults to 600 seconds.
.It Li icmp.returndatabytes
Number of bytes to return in an ICMP error message.
+.It Li icmp.bmcastecho
+If set to 1, enables responding to ICMP echo or timestamp request to the
+broadcast address.
.It Li tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon reception of
a packet with PUSH set.
>Release-Note:
>Audit-Trail:
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42243 CVS commit: src
Date: Mon, 7 Dec 2009 13:47:25 -0500
Module Name: src
Committed By: christos
Date: Mon Dec 7 18:47:25 UTC 2009
Modified Files:
src/share/man/man7: sysctl.7
src/sys/netinet: icmp_var.h ip_icmp.c
Log Message:
PR/42243: Yasuoka Masahiko: Add "net.inet.icmp.bmcastecho" sysctl support,
to disable icmp replies to the broadcast address.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/share/man/man7/sysctl.7
cvs rdiff -u -r1.27 -r1.28 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.121 -r1.122 src/sys/netinet/ip_icmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42243 CVS commit: src/usr.bin/netstat
Date: Mon, 7 Dec 2009 13:48:45 -0500
Module Name: src
Committed By: christos
Date: Mon Dec 7 18:48:45 UTC 2009
Modified Files:
src/usr.bin/netstat: inet.c
Log Message:
PR/42243: Yasuoka Masahiko: Add support for "net.inet.icmp.bmcastecho" support.
Print the current status.
To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.92 src/usr.bin/netstat/inet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 14 Aug 2011 19:30:46 +0000
State-Changed-Why:
Committed by Christos in 2009.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home