漏洞信息详情
多家厂商TCP/IP实现处理相同源、目标IP数据包失败拒绝服务攻击漏洞
- CNNVD编号:CNNVD-199712-002
- 危害等级: 低危
- CVE编号: CVE-1999-0016
- 漏洞类型: 未知
- 发布时间: 1997-11-13
- 威胁类型: 远程
- 更新时间: 2006-11-16
- 厂 商: sun
- 漏洞来源: m3lt meltman@lagge...
漏洞简介
TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。 早期BSD派生系统(Linux除外)及Windows系统TCP/IP协议栈实现上存在漏洞,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击。 发送一个源地址和目标地址相同,源端口和目的端口也相同的SYN包到有漏洞的目标系统,这就是著名的Land攻击。由于TCP/IP实现上的问题,目标系统对此种畸形包的处理可能会出问题。不同的系统对Land攻击反应不同,许多老版本的UNIX类操作系统将崩溃,NT的CPU资源占用将接近100\\%(大约持续五分钟)。 此漏洞相关信息在新闻组和邮件列表中可以用\"Land denial of service\"、\"Land Attack\"为关键字搜索到。
漏洞公告
厂商补丁: FreeBSD ------- FreeBSD已经为此发布了一个安全公告(SA-98:01)以及相应补丁:
SA-98:01:LAND attack can cause harm to running FreeBSD systems
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-98:01.asc
补丁下载:
Apply the enclosed patch. There are two patches, one for FreeBSD
-current, and another for FreeBSD 2.2-stable.
patch for -current prior to Jan 21, 1998. Found in land-current.
Index: tcp_input.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- tcp_input.c 1997/12/19 23:46:15 1.67
+++ tcp_input.c 1998/01/21 02:05:59 1.68
@@ -626,6 +613,7 @@
* If the state is LISTEN then ignore segment if it contains an RST.
* If the segment contains an ACK then it is bad and send a RST.
* If it does not contain a SYN then it is not interesting; drop it.
+ * If it is from this socket, drop it, it must be forged.
* Don't bother responding if the destination was a broadcast.
* Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
* tp->iss, and send a segment:
@@ -644,6 +632,9 @@
goto dropwithreset;
if ((tiflags & TH_SYN) == 0)
goto drop;
+ if ((ti->ti_dport == ti->ti_sport) &&
+ (ti->ti_dst.s_addr == ti->ti_src.s_addr))
+ goto drop;
/*
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
* in_broadcast() should never return true on a received
@@ -762,6 +753,23 @@
}
/*
+ * If the state is SYN_RECEIVED:
+ * if seg contains SYN/ACK, send a RST.
+ * if seg contains an ACK, but not for our SYN/ACK, send a RST.
+ */
+ case TCPS_SYN_RECEIVED:
+ if (tiflags & TH_ACK) {
+ if (tiflags & TH_SYN) {
+ tcpstat.tcps_badsyn++;
+ goto dropwithreset;
+ }
+ if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
+ SEQ_GT(ti->ti_ack, tp->snd_max))
+ goto dropwithreset;
+ }
+ break;
+
+ /*
* If the state is SYN_SENT:
* if seg contains an ACK, but not for our SYN, drop the input.
* if seg contains a RST, then drop the connection.
@@ -1176,14 +1184,11 @@
switch (tp->t_state) {
/*
- * In SYN_RECEIVED state if the ack ACKs our SYN then enter
- * ESTABLISHED state and continue processing, otherwise
- * send an RST.
+ * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
+ * ESTABLISHED state and continue processing.
+ * The ACK was checked above.
*/
case TCPS_SYN_RECEIVED:
- if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
- SEQ_GT(ti->ti_ack, tp->snd_max))
- goto dropwithreset;
tcpstat.tcps_connects++;
soisconnected(so);
patch for 2.2.5 and 2.2.5-stable before Jan 30, 1998 found in land-22
Index: tcp_input.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
retrieving revision 1.54.2.6
retrieving revision 1.54.2.7
diff -u -r1.54.2.6 -r1.54.2.7
--- tcp_input.c 1997/11/20 21:45:34
参考网址
来源: HP 名称: HPSBUX9801-076 链接:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076
受影响实体
- Sun Sunos:4.1.4
- Sun Sunos:4.1.3u1
补丁
暂无
评论