kern/42243: "net.inet.icmp.bmcastecho" support

[Yasuoka Masahiko <yasuoka%iij.ad.jp@localhost>]

>Number:         42243
>Category:       kern
>Synopsis:       "net.inet.icmp.bmcastecho" support
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 28 14:30:00 +0000 2009
>Originator:     yasuoka%iij.ad.jp@localhost
>Release:        NetBSD current
>Organization:
Internet Initiative Japan Inc.
>Environment:
System: NetBSD yasuoka-nb-c.iij.ad.jp 5.99.21 NetBSD 5.99.21 (GENERIC) #4: Wed 
Oct 28 21:33:24 JST 2009 
yasuoka%yasuoka-nb-c.iij.ad.jp@localhost:/source/yasuoka/NetBSD/current/sys/arch/i386/compile/obj/GENERIC
 i386
Architecture: i386
Machine: i386
>Description:

As "CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks"
http://www.cert.org/advisories/CA-1998-01.html ,
| III. Solution
|   A. Solutions for the Intermediary
(snip)
|     2. Configure your operating system to prevent the machine from
|        responding to ICMP packets sent to IP broadcast addresses.

The advisory has been issued 11 years ago, but NetBSD still responds
to broadcast ICMP packets.

A patch is attached at ">Fix:" section, I hope NetBSD applies this
patch to fix the issue.

  - The patch came from FreeBSD.
  - It disables responding ICMP echo or timestamp request to the
    broadcast.
  - This behavior can be changed by the sysctl
    net.inet.icmp.bmcastecho
  - netstat(1) shows the packet count that are dropped by this issue.

>How-To-Repeat:

    Ping to your local IP network's all 0 broadcast, NetBSD hosts respond
    the ping.

    For example,
        
        |------+-------------+-----------| local network (192.168.0.0/24)
               |.101         |.102
          +----+-----+  +----+-----+
          | NetBSD-A |  | NetBSD-B |
          +----------+  +----------+

      - NetBSD-A has 192.168.0.101/24
      - NetBSD-B has 192.168.0.102/24
      - On NetBSD-A, ping to 192.168.0.0
      => NetBSD-B answers the ping.

>Fix:

Apply following patch.  The patch is for NetBSD-current 2009-10-28.

Index: sys/netinet/icmp_var.h
===================================================================
RCS file: /cvsroot/NetBSD/src/sys/netinet/icmp_var.h,v
retrieving revision 1.27
diff -b -u -p -r1.27 icmp_var.h
--- sys/netinet/icmp_var.h      12 Apr 2008 05:58:22 -0000      1.27
+++ sys/netinet/icmp_var.h      28 Oct 2009 12:57:35 -0000
@@ -57,7 +57,10 @@
                /* space for ICMP_MAXTYPE + 1 (19) counters */
 #define        ICMP_STAT_PMTUCHG       46      /* path MTU changes */
 
-#define        ICMP_NSTATS             47
+#define        ICMP_STAT_BMCASTECHO    47      /* b/mcast echo requests 
dropped */
+#define        ICMP_STAT_BMCASTTSTAMP  48      /* b/mcast tstamp requests 
dropped */
+
+#define        ICMP_NSTATS             49
 
 #if ICMP_MAXTYPE != 18
 #error ICMP_MAXTYPE too large for ICMP statistics
@@ -75,7 +78,8 @@
 #define ICMPCTL_REDIRACCEPT    5       /* Accept redirects from routers */
 #define ICMPCTL_REDIRTIMEOUT   6       /* Remove routes added via redirects */
 #define        ICMPCTL_STATS           7       /* ICMP statistics */
-#define ICMPCTL_MAXID          8
+#define ICMPCTL_BMCASTECHO     8       /* allow broad/mult-cast echo */
+#define ICMPCTL_MAXID          9
 
 #define ICMPCTL_NAMES { \
        { 0, 0 }, \
@@ -86,6 +90,7 @@
        { "rediraccept", CTLTYPE_INT }, \
        { "redirtimeout", CTLTYPE_INT }, \
        { "stats", CTLTYPE_STRUCT }, \
+       { "bmcastecho", CTLTYPE_INT }, \
 }
 
 #ifdef _KERNEL
Index: sys/netinet/ip_icmp.c
===================================================================
RCS file: /cvsroot/NetBSD/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.121
diff -b -u -p -r1.121 ip_icmp.c
--- sys/netinet/ip_icmp.c       16 Sep 2009 15:23:05 -0000      1.121
+++ sys/netinet/ip_icmp.c       28 Oct 2009 12:57:35 -0000
@@ -142,6 +142,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 
  */
 
 int    icmpmaskrepl = 0;
+int    icmpbmcastecho = 0;
 #ifdef ICMPPRINTFS
 int    icmpprintfs = 0;
 #endif
@@ -542,6 +543,11 @@ icmp_input(struct mbuf *m, ...)
                break;
 
        case ICMP_ECHO:
+               if (!icmpbmcastecho &&
+                   (m->m_flags & (M_MCAST | M_BCAST)) != 0)  {
+                       ICMP_STATINC(ICMP_STAT_BMCASTECHO);
+                       break;
+               }
                icp->icmp_type = ICMP_ECHOREPLY;
                goto reflect;
 
@@ -550,6 +556,11 @@ icmp_input(struct mbuf *m, ...)
                        ICMP_STATINC(ICMP_STAT_BADLEN);
                        break;
                }
+               if (!icmpbmcastecho &&
+                   (m->m_flags & (M_MCAST | M_BCAST)) != 0)  {
+                       ICMP_STATINC(ICMP_STAT_BMCASTTSTAMP);
+                       break;
+               }
                icp->icmp_type = ICMP_TSTAMPREPLY;
                icp->icmp_rtime = iptime();
                icp->icmp_ttime = icp->icmp_rtime;      /* bogus, do later! */
@@ -1055,6 +1066,14 @@ sysctl_netinet_icmp_setup(struct sysctll
                       sysctl_net_inet_icmp_stats, 0, NULL, 0,
                       CTL_NET, PF_INET, IPPROTO_ICMP, ICMPCTL_STATS,
                       CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "bmcastecho",
+                      SYSCTL_DESCR("Respond to ICMP_ECHO or ICMP_TIMESTAMP "
+                                   "message to the broadcast or multicast"),
+                      NULL, 0, &icmpbmcastecho, 0,
+                      CTL_NET, PF_INET, IPPROTO_ICMP, ICMPCTL_BMCASTECHO,
+                      CTL_EOL);
 }
 
 void
Index: usr.bin/netstat/inet.c
===================================================================
RCS file: /cvsroot/NetBSD/src/usr.bin/netstat/inet.c,v
retrieving revision 1.91
diff -b -u -p -r1.91 inet.c
--- usr.bin/netstat/inet.c      14 Sep 2009 10:36:50 -0000      1.91
+++ usr.bin/netstat/inet.c      28 Oct 2009 12:57:35 -0000
@@ -582,6 +582,8 @@ icmp_stats(u_long off, const char *name)
        p(ICMP_STAT_TOOSHORT, "\t%llu message%s < minimum length\n");
        p(ICMP_STAT_CHECKSUM, "\t%llu bad checksum%s\n");
        p(ICMP_STAT_BADLEN, "\t%llu message%s with bad length\n");
+       p(ICMP_STAT_BMCASTECHO, "\t%llu multicast echo request%s ignored\n");
+       p(ICMP_STAT_BMCASTTSTAMP, "\t%llu multicast timestamp request%s 
ignored\n");
        for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++)
                if (icmpstat[ICMP_STAT_INHIST + i] != 0) {
                        if (first) {
Index: share/man/man7/sysctl.7
===================================================================
RCS file: /cvsroot/NetBSD/src/share/man/man7/sysctl.7,v
retrieving revision 1.27
diff -b -u -p -r1.27 sysctl.7
--- share/man/man7/sysctl.7     5 Oct 2009 10:47:52 -0000       1.27
+++ share/man/man7/sysctl.7     28 Oct 2009 12:57:35 -0000
@@ -983,6 +983,7 @@ The currently defined protocols and name
 .It icmp       maskrepl        integer yes
 .It icmp       rediraccept     integer yes
 .It icmp       redirtimeout    integer yes
+.It icmp       bmcastecho      integer yes
 .It ip allowsrcrt      integer yes
 .It ip anonportmax     integer yes
 .It ip anonportmin     integer yes
@@ -1192,6 +1193,9 @@ ICMP redirect.
 This defaults to 600 seconds.
 .It Li icmp.returndatabytes
 Number of bytes to return in an ICMP error message.
+.It Li icmp.bmcastecho
+If set to 1, enables responding to ICMP echo or timestamp request to the
+broadcast address.
 .It Li tcp.ack_on_push
 If set to 1, TCP is to immediately transmit an ACK upon reception of
 a packet with PUSH set.

>Unformatted: