regional-it: NetBSD not vulnerable to TCP reassembly mbuf DoS

Subject: NetBSD not vulnerable to TCP reassembly mbuf DoS
To: None <regional-it@netbsd.org>
From: Gianluca <codec@netgravity.it>
List: regional-it
Date: 02/21/2004 10:03:26
Questo =E8 il msg che arrivato nel ML tech-security@NetBSD.org :

=2D----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Note 20040304-1
                 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Topic:          NetBSD not vulnerable to TCP reassembly mbuf DoS


The FreeBSD project recently published FreeBSD-SA-04:04.tcp,=20
describing a denial-of-service vulnerability based on mbuf exhaustion.=20
=20
The NetBSD Security Officer team was aware of this issue, and would=20
like to reassure users that NetBSD is not vulnerable.=20

The TCP reassembly code in NetBSD was enhanced some time ago to
coalesce mbufs in the reassembly queue as out-of-order TCP segments
arrive.  This greatly reduces the potential number of mbufs a TCP
reassembly queue can use, because the length of the queue is also
limited to the size of the TCP receive window.=20

Additionally, mbufs in a partially-reassembled queue can be drained
and reused in resource-shortage conditions; since the out-of-order TCP
data has not been acknowledged, dropping these segments has the same
effect as if the packets had been dropped in the network, and they
will eventually be retransmitted by a legitimate remote TCP.

Together, these two points mean that this resource-exhaustion attack
is not feasible against a NetBSD host. This was confirmed using test
code supplied by Markus Friedl.

Thanks To
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Jacques A. Vidrine
Matt Thomas
Markus Friedl


More Information
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SN20040304-1.txt,v 1.1 2004/03/04 02:31:28 dan Exp $

=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQCVAwUBQEaVDj5Ru2/4N2IFAQG8sAP/Rgc4Q0Xn10IrYXwIJjW08AljeMudMjKl
XBpv89ZlUMZiE3lWEJwg4vAeooYCvK6VGLIeb0+ow8ZGDN2GtR6aiL7mnyWTVSTl
qV3Qz6eaXwUXzvj2g24VPNiWu5KAwa+/iu/ufEEflORLYs/9RNbVPJLnBpUGv9US
rOVvSYw/P54=3D
=3D2ZYK
=2D----END PGP SIGNATURE-----

Per altre info:
http://www.merlinobbs.net/modules.php?name=3DNews&file=3Darticle&sid=3D448

=2D-=20
"La liberta' e' ancora l' idea piu' radicale di tutte"
(Nathaniel Branden)