TUCoPS :: BSD :: bsd5270.htm

FreeBSD syncache/syncookies denial of service
17th Apr 2002 [SBWID-5270]

	FreeBSD syncache/syncookies denial of service



	 FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC

	 FreeBSD 4.5-STABLE prior to the correction date 


	 Corrected:      2002-02-20 16:48:49 UTC (RELENG_4)

	                 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)



	In FreeBSD Security Advisory FreeBSD-SA-02:20.syncache a  bug  regarding
	syncache and syncookie mechanism has been detected and corrected :





	The SYN cache (\"syncache\") and SYN  cookie  mechanism  (\"syncookie\")
	are features of the TCP/IP stack intended to  improve  resistance  to  a
	class of denial of service attacks known as SYN floods.

	 Problem Description



	Two related problems with syncache were triggered when  syncookies  were

	1) When a SYN was accepted via a syncookie,  it  used  an  uninitialized
	pointer to find the TCP options for the new socket. This pointer may  be
	a null pointer, which will cause the machine to crash.

	2) A syncache entry is created when a SYN arrives on  a  listen  socket.
	If the application which  created  the  listen  socket  was  killed  and
	restarted  ---  and  therefore  recreated  the  listen  socket  with   a
	different inpcb --- an ACK (or duplicate SYN) which  later  arrived  and
	matched the existing syncache entry would cause a reference to  the  old
	inpcb pointer. Depending on the pointer\'s contents, this  might  result
	in a system crash.

	Because syncache/syncookies support was added prior to  the  release  of
	FreeBSD 4.5-RELEASE, no other releases are affected.




	Legitimate TCP/IP traffic may cause the machine to crash.






	The first issue described may be worked around by  disabling  syncookies
	using sysctl.  Issue the following command as root:


	  # sysctl -w net.inet.tcp.syncookies=0



	However, there is no workaround for the second issue.




	1) Upgrade your  vulnerable  system  to  4.5-STABLE  or  the  RELENG_4_5
	security branch dated after the respective correction dates.

	2) To patch your present system: download the relevant  patch  from  the
	below location, and execute the following commands as root:


	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc



	This patch has been verified to apply to 4.5-RELEASE only.

	Verify the detached PGP signature using your PGP utility.

	Execute the following commands as root:


	# cd /usr/src

	# patch -p < /path/to/patch



	Recompile        your        kernel        as        described        in
	http://www.freebsd.org/handbook/kernelconfig.html   and    reboot    the

	 Correction details



	The following list contains the revision numbers of each file  that  was
	corrected in the FreeBSD ports collection.


	Path                                                             Revision


	- -------------------------------------------------------------------------






	- -------------------------------------------------------------------------


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH