Re: tcp vulnerability? haven't seen anything on it here...

From: Richard B. Johnson
Date: Thu Apr 22 2004 - 08:44:10 EST

On Thu, 22 Apr 2004, Willy Tarreau wrote:

> On Thu, Apr 22, 2004 at 07:35:54AM -0400, Richard B. Johnson wrote:
> > Has anybody checked to see what Linux does if it receives a
> > RST to the broadcast address? It would be a shame if all
> > connections were dropped!
> I don't see how this would be possible : a TCP packet is matched *only* if
> it refers to a valid session. If you have no session established from/to the
> broadcast address, there's no possibility that an RST targetted at this
> address
> terminates anything, even if the ports are OK.
> Cheers,
> Willy

If course it's possible. Remember the trick to blue-screen W$, just
send a fragmented packet with a large length, then never send the
rest. There are lots of things that can happen when control
data goes to the broadcast address. Ping the broadcast address and
observe. If you have any W$/2000/prof machines on your network that
don't have service-pack 2 or later installed, just syn-flood the
broadcast address. So I wonder how well the corner cases have been
checked. Of course you can't "connect" to a host using the broadcast
address, unless some code runs off the end of a switch statement

Hopefully invalid packets just get dropped on the floor. However,
history shows otherwise. Linux has a habit of loudly complaining
about invalid packets or protocol violations. The result being
a log full of messages leading to a full file-system. Fortunately
one can turn off many using the /proc/sys/net/ipv4 interface.

Dick Johnson
Penguin : Linux version 2.4.26 on an i686 machine (5557.45 BogoMips).
Note 96.31% of all statistics are fiction.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at