Received: with ECARTIS (v1.0.0; list netdev); Thu, 22 Apr 2004 06:41:31 -0700 (PDT) Received: from chaos.analogic.com (chaos.analogic.com [204.178.40.224]) by oss.sgi.com (8.12.10/8.12.9) with SMTP id i3MDfRKO013045 for ; Thu, 22 Apr 2004 06:41:27 -0700 Received: (from root@localhost) by chaos.analogic.com (8.11.0.Beta3(chaos.analogic.com)/8.12.0.A) id i3MDgwP08774; Thu, 22 Apr 2004 09:42:58 -0400 Date: Thu, 22 Apr 2004 09:42:58 -0400 (EDT) From: "Richard B. Johnson" X-X-Sender: root@chaos Reply-To: root@chaos.analogic.com To: Willy Tarreau cc: linux-kernel@vger.kernel.org, netdev@oss.sgi.com Subject: Re: tcp vulnerability? haven't seen anything on it here... In-Reply-To: <20040422131704.GA6839@alpha.home.local> Message-ID: References: <20040422131704.GA6839@alpha.home.local> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-archive-position: 4844 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: root@chaos.analogic.com Precedence: bulk X-list: netdev Content-Length: 1663 Lines: 41 On Thu, 22 Apr 2004, Willy Tarreau wrote: > On Thu, Apr 22, 2004 at 07:35:54AM -0400, Richard B. Johnson wrote: > > > Has anybody checked to see what Linux does if it receives a > > RST to the broadcast address? It would be a shame if all > > connections were dropped! > > I don't see how this would be possible : a TCP packet is matched *only* if > it refers to a valid session. If you have no session established from/to the > broadcast address, there's no possibility that an RST targetted at this > address > terminates anything, even if the ports are OK. > > Cheers, > Willy > If course it's possible. Remember the trick to blue-screen W$, just send a fragmented packet with a large length, then never send the rest. There are lots of things that can happen when control data goes to the broadcast address. Ping the broadcast address and observe. If you have any W$/2000/prof machines on your network that don't have service-pack 2 or later installed, just syn-flood the broadcast address. So I wonder how well the corner cases have been checked. Of course you can't "connect" to a host using the broadcast address, unless some code runs off the end of a switch statement unchecked. Hopefully invalid packets just get dropped on the floor. However, history shows otherwise. Linux has a habit of loudly complaining about invalid packets or protocol violations. The result being a log full of messages leading to a full file-system. Fortunately one can turn off many using the /proc/sys/net/ipv4 interface. Cheers, Dick Johnson Penguin : Linux version 2.4.26 on an i686 machine (5557.45 BogoMips). Note 96.31% of all statistics are fiction.