From owner-announce-jp@jp.FreeBSD.org Thu Feb 27 23:11:16 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id h1REBGH25061;
	Thu, 27 Feb 2003 23:11:16 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Message-Id: <20030227.215933.78699929.hrs@eos.ocn.ne.jp>
To: announce-jp@jp.FreeBSD.org
From: Hiroki Sato <hrs@jp.FreeBSD.org>
In-Reply-To: <200302241305.h1OD5b1v099752@freefall.freebsd.org>
References: <200302241305.h1OD5b1v099752@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 2.2 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
Date: Thu, 27 Feb 2003 21:59:33 +0900
X-Sequence: announce-jp 1106
Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies
Errors-To: owner-announce-jp@jp.FreeBSD.org
Sender: owner-announce-jp@jp.FreeBSD.org
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+030107


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-03:03.syncookies (2003-02-24)
 * Brute force attack on SYN cookies
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 24 Feb 2003 05:05:37 -0800
  Message-Id: <200302241305.h1OD5b1v099752@freefall.freebsd.org>
  X-Sequence: announce-jp 1102

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-03:03.syncookies                                 Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	SYN cookies $B$KBP$9$k%V%k!<%H%U%)!<%9967b(B
                (Brute force attack on SYN cookies)

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	sys_netinet
$B9pCNF|(B:		2003-02-24
$B%/%l%8%C%H(B:	Mike Silbersack <silby@FreeBSD.org>
$B1F6AHO0O(B:	FreeBSD 4.5-RELEASE
                4.6.2-RELEASE-p9 $B$h$jA0$N(B FreeBSD 4.6-RELEASE
                4.7-RELEASE-p6 $B$h$jA0$N(B FreeBSD 4.7-RELEASE 
                $B=$@5F|$h$jA0$N(B FreeBSD 4.7-STABLE
                5.0-RELEASE-p3 $B$h$jA0$N(B FreeBSD 5.0-RELEASE
$B=$@5F|(B:		2003-02-23 19:04:58 UTC (RELENG_4)
                2003-02-23 20:18:48 UTC (RELENG_5_0)
                2003-02-23 20:19:29 UTC (RELENG_4_7)
                2003-02-24 02:42:06 UTC (RELENG_4_6)
FreeBSD $B$K8GM-$+(B:	YES


I.  $BGX7J(B - Background

SYN cookies $B$O!"(BSYN flood $B967b$X$NBQ@-$r8~>e$5$;$k$?$a$K;H$o$l$k5;=Q$N(B
$B$R$H$D$G$9!#$3$l$O!"0E9f$K;H$o$l$k<jK!$r;H$C$F8!::2DG=$J(B
$B=i4|(B TCP $B%7!<%1%s%9HV9f(B (ISN) $B$rA*Br$9$k$3$H$G!"(BSYN flood $B967b$N1F6A$r(B
$BDc8:$7$^$9!#(BFreeBSD $B$G$O!"$3$N5;=Q$,%G%U%)%k%H$G(B TCP $B%9%?%C%/$K(B
$B<BAu$5$l$F$$$^$9(B ($B$3$N<BAu$O(B `syncookies' $B$H8F$P$l$F$$$^$9(B)$B!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

FreeBSD $B$N(B syncookie $B<BAu$O@8@.$7$?(B ISN $B$r!"$$$/$D$+$NDj4|E*$K(B
$B%m!<%F!<%H$5$l$kFbItHkL)80$N$R$H$D$+$i@8@.$7$?(B MAC ($BLuCm(B: Message
Authentication Code$B!#%G!<%?$N2~JQ$r8!=P$9$k$?$a$NJ}K!$N$R$H$D(B) $B$r(B
$B;H$C$FJ]8n$7$^$9!#$7$+$7!"$3$NFbItHkL)80$O(B 32 $B%S%C%H$ND9$5$7$+$J$/!"(B
$B%V%k!<%H%U%)!<%9967b$,2DG=$G$9!#(B


III.  $B1F6AHO0O(B - Impact

$B$R$H$D$N(B syncookie $BHkL)80$NI|85$K@.8y$9$k$H!"967b<T$O$=$NHkL)80$,(B
$B%m!<%F!<%H$5$l$k$^$G(B ($BDL>o$O:GD9$G$b(B 4 $BIC(B)$B!"M-8z$J(B ISN $B$r(B
$B@8@.$G$-$k$h$&$K$J$j$^$9!#$3$&$7$F@8@.$7$?M-8z$J(B ISN $B$r;H$&$H!"(B
$B$h$/CN$i$l$F$$$k(B ISN $BM=B,967b(B ($B;29MJ88%$r;2>H(B) $B$H$^$C$?$/F1MM$N(B
$BJ}K!$G(B TCP $B@\B3$r:>>N(B (spoof) $B$9$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B
TCP $B@\B3$r:>>N$9$k$3$H$G!"967b<T$O(B tcp_wrappers $B$dB?$/$N(B
$B%U%!%$%"%&%)!<%k$K<BAu$5$l$F$$$k(B IP $B%Y!<%9$N%"%/%;%9@)8f%j%9%H$r(B
$B%P%$%Q%9$9$k$3$H$d!"(BSMTP $B$J$I$N@\B3$r56B$$7$F!"0-MQ$7$F$$$k(B
$B%f!<%6$NDI@W$r:$Fq$K$9$k$3$H$,2DG=$K$J$k$G$7$g$&!#$^$?!"(B
syncookie $BHkL)80$,$R$H$DI|85$G$-$k$H!"F1$8(B 31.25ms $B0JFb$K(B
$B3+;O$7$?(B TCP $B@\B3$r967b<T$,(B reset $B$9$k$3$H$b2DG=$K$J$j$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

syncookies $B$O(B `net.inet.tcp.syncookies' sysctl(8) $BJQ?t$r;H$C$F(B
$BL58z$K$9$k$3$H$,2DG=$G$9!#$=$l$K$O(B root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

  # sysctl net.inet.tcp.syncookies=0

$B%7%9%F%`$N5/F0;~$K(B syncookies $B$rL58z$K$9$k$K$O!"(Bsysctl.conf(5) $B%U%!%$%k$K(B
$B<!$N9T$rDI2C$7$^$9!#(B

  net.inet.tcp.syncookies=0


V.   $B2r7h:v(B - Solution

($BLuCm(B: $B<!$N$$$:$l$+0l$D$K=>$C$F$/$@$5$$!#(B)

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4.7-STABLE$B!"$b$7$/$O=$@5F|0J9_$N(B
   RELENG_4_7 (4.7-RELEASE-p6)$B!"(BRELENG_4_6 (4.6.2-RELEASE-p9)$B!"(B
   RELENG_5_0 (5.0-RELEASE-p3) $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K(B
   $B%"%C%W%0%l!<%I$9$k!#(B

2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.6$B!"(BFreeBSD 4.7$B!"(BFreeBSD 5.0 $B$N3F%7%9%F%`$K(B
$BE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9!#(B

a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch.asc

b) $B=$@5%Q%C%A$rE,MQ$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

c) <URL:http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html >
   $B$K=q$+$l$F$$$k<j=g$K$7$?$,$C$F%+!<%M%k$r:F9=C[$7!"%7%9%F%`$r:F5/F0$7$^$9!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
src/sys/conf/newvers.sh
  RELENG_5_0                                                     1.48.2.4
  RELENG_4_7                                                1.44.2.26.2.8
  RELENG_4_6                                               1.44.2.23.2.26
src/sys/netinet/tcp_syncache.c
  RELENG_4                                                       1.5.2.13
  RELENG_5_0                                                     1.28.2.3
  RELENG_4_7                                                  1.5.2.8.2.1
  RELENG_4_6                                                  1.5.2.6.2.2
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL: http://cr.yp.to/syncookies.html >
<URL: http://www.cert.org/advisories/CA-2001-09.html >


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

