Vulnerability

    kernel

Affected

    NetBSD 1.4, 1.5, -current

Description

    Following  is  based  on  a  NetBSD  Security  Advisory  2001-006.
    Malicious  parties  may  be  able  to  prevent  a NetBSD node from
    communicating  with  other  nodes  by  transmitting a lot of bogus
    fragmented IPv4  packets.   For the  attack to  be effective,  the
    attacker needs  to have  good network  connectivity to  the victim
    node (like logged onto the  victim machine itself, connected by  a
    fat LAN, or whatever).

    There are  exploits for  this problem  available on  the Internet.
    However, the  attack is  timing dependent  and the  attack is  not
    always successful.

    In the IPv4 input  path (sys/netinet/ip_input.c), there's code  to
    reassemble fragmented IPv4 datagrams.  Datagram fragments destined
    to the  node will  be queued  for 30  seconds, to allow fragmented
    datagrams to be reassembled.   Until recently, there was no  upper
    limit in the number of reassembly queues.  Therefore, a  malicious
    party may be  able to transmit  a lot of  bogus fragmented packets
    (with different  IPv4 identification  field -  ip_id), and  may be
    able to put the target machine into mbuf starvation state.

    Recently     NetBSD     introduced     a     new     sysctl(3)   -
    net.inet.ip.maxfragpackets.   With  this,  you  can  configure  an
    upper limit to the number of  reassembly queues.  If you want  the
    old  behavior  (no  limit),  you  can  set the value to a negative
    value.

    Thanks  To  James  Thomas  for  bringing  this  problem  to NetBSD
    attention,  and  Jun-ichiro  Hagino  for  providing  a fix for the
    problem.

Solution

    (1) Upgrade  the system  from newer  sources or  binaries: Compile
        and  install  a  kernel  which  has  the  sysctl(3)   variable
        net.inet.ip.maxfragpackets  in  the  sysctl  MIB.   With  this
        variable, you can limit the number of IPv4 fragment reassembly
        queues  kept  on  the  system.   The  value needs to be picked
        carefully, considering the role of the node (i.e. if the  node
	is a busy web server, you  may want to set the value  higher).
	Note that, however,  even with the  configuration knob, it  is
	possible  for  attackers  to  transmit  a  lot  of  bogus IPv4
	fragmented packets, and prevent other fragmented IPv4  traffic
        from  getting  reassembled.   Unfragmented  IPv4 communication
        will be kept safe by the variable.

        Systems  running  NetBSD-current  dated  from before April 17,
        2001 should be upgraded to NetBSD-current dated April 17, 2001
        or later.

        Systems running NetBSD 1.5.x  systems dated from before  April
        24, 2001 should  be upgraded to  NetBSD 1.5.x dated  April 24,
        2001 or later.  NetBSD 1.5.1 will ship with the fix.

        There is no fix to 1.4.x available at this time.

    (2) Increase the  kernel option NMBCLUSTERS.   Use an  appropriate
        value  for  NMBCLUSTERS  for  the  node.   Normally, it is the
        cluster  mbufs  which  go  into  a  starvation state with this
        attack.  By setting NMBCLUSTERS to a higher value, you may  be
        able to prevent the mbuf memory pool from starving.

        Note  that  a  couple  of  NetBSD  device drivers pre-allocate
        cluster mbufs within the  driver, for performance reasons  and
        DMA  management  reasons.    For  example,   the  fxp   driver
        pre-allocates  64  cluster  mbufs  per  interface.  If you are
        using such network cards,  you will want to  raise NMBCLUSTERS
        even more.