From owner-doc-jp-work@jp.FreeBSD.org Mon Mar  8 22:49:37 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i28DnbQ56978;
	Mon, 8 Mar 2004 22:49:37 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from wasley.bl.mmtr.or.jp (wasley.bl.mmtr.or.jp [210.228.173.142])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with SMTP/inet id i28Dnb756973
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 8 Mar 2004 22:49:37 +0900 (JST)
	(envelope-from rushani@bl.mmtr.or.jp)
Received: (qmail 7501 invoked from network); 8 Mar 2004 13:49:31 -0000
Received: from pl229.nas921.niigata.nttpc.ne.jp (HELO localhost) (210.153.208.229)
  by wasley.bl.mmtr.or.jp with SMTP; 8 Mar 2004 13:49:31 -0000
Message-Id: <20040308.224844.74747362.rushani@bl.mmtr.or.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hideyuki KURASHINA <rushani@bl.mmtr.or.jp>
In-Reply-To: <20040308.073548.133830425.hrs@eos.ocn.ne.jp>
References: <200403021955.i22Jti60024050@freefall.freebsd.org>
	<20040308.073548.133830425.hrs@eos.ocn.ne.jp>
X-URL: http://www.rushani.jp/
X-PGP-Public-Key: http://www.rushani.jp/rushani.asc
X-PGP-Fingerprint: A052 6F98 6146 6FE3 91E2  DA6B F2FA 2088 439A DC57
X-RC5-72-Stats: http://stats.distributed.net/participant/psummary.php?project_id=8&id=432320
X-Mailer: Mew version 4.0.64 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Mon, 08 Mar 2004 22:48:44 +0900
X-Sequence: doc-jp-work 842
Subject: [doc-jp-work 842] Re: [FreeBSD-Announce] FreeBSD Security
 Advisory FreeBSD-SA-04:04.tcp
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: rushani@bl.mmtr.or.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+040307

$BARIJ(B@$B?73c$G$9(B.

>>> On Mon, 08 Mar 2004 07:35:48 +0900, Hiroki Sato <hrs@eos.ocn.ne.jp> said:

> $B:4F#!wEl5~M}2JBg3X$G$9!#(B
[...]
> I.   $BGX7J(B - Background
> 
> The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
> provides a connection-oriented, reliable, sequence-preserving data
> stream service.  When network packets making up a TCP stream (``TCP
> segments'') are received out-of-sequence, they are maintained in a
> reassembly queue by the destination system until they can be re-ordered
> and re-assembled.
> 
> TCP/IP $B%W%m%H%3%k%9%$!<%H$K4^$^$l$k(B TCP (Transmission Control Protocol) $B$O!"(B
> $B@\B37?$G?.Mj@-$,9b$/!"E~Ce=g$,J]B8$5$l$k%G!<%?%9%H%j!<%`%5!<%S%9$r(B
> $BDs6!$7$^$9!#(BTCP $B%9%H%j!<%`$r9=@.$9$k%M%C%H%o!<%/%Q%1%C%H(B (TCP $B%;%0%a%s%H(B) $B$,(B
> $B$P$i$P$i$N=g=x$G<u?.$5$l$?>l9g!"$=$l$i$N%Q%1%C%H$O!"%Q%1%C%H=g$N@0Ns$H(B
> $B:F9=@.$,40N;$9$k$^$G!"<u?.$5$l$?%7%9%F%`B&$N:F9=@.%-%e!<(B (reassembly
> queue) $B$K3JG<$5$l$^$9!#(B

$BFs$DL\$NJ8>O$N!V<u?.$5$l$?!W$H$$$&8@MU$O2?$+0z$C$+$+$k5$$,$7$^$9(B.

  TCP $B%9%H%j!<%`$r9=@.$9$k%M%C%H%o!<%/%Q%1%C%H(B (TCP $B%;%0%a%s%H(B) $B$r(B
  $B$P$i$P$i$N=g=x$G<u?.$7$?>l9g!"%7%9%F%`$O$=$l$i$N%Q%1%C%H$r=g$K(B
  $B@0Ns$7:F9=@.$r40N;$9$k$^$G!":F9=@.%-%e!<(B (reassembly queue) $B$K3JG<$7$^$9!#(B

$B$H$9$k$H(B, $B$I$&$G$7$g$&(B.

> III. $B1F6AHO0O(B - Impact
> 
> A remote attacker may conduct a low-bandwidth denial-of-service attack
> against a machine providing services based on TCP (there are many such
> services, including HTTP, SMTP, and FTP).  By sending many
> out-of-sequence TCP segments, the attacker can cause the target machine
> to consume all available memory buffers (``mbufs''), likely leading to
> a system crash.
> 
> $B%j%b!<%H$N967b<T$O!"(BTCP $B$r;H$C$?%5!<%S%9(B (HTTP, SMTP, FTP $B$J$I!"(BTCP
> $B$r;H$C$?%5!<%S%9$O?tB?$/$"$j$^$9(B) $B$rDs6!$7$F$$$k%^%7%s$KBP$7$F!"(B
> $B$"$k<o$NDcB.%5!<%S%9K832967b$r$*$3$J$&$3$H$,$G$-$^$9!#(B

$B>r7o$,!V%Q%1%C%H=g$,$P$i$P$i$N(B TCP $B%;%0%a%s%H$rB??tAw$jIU$1$k$3$H!W$@$1(B
$B$J$i=y!9$K%5!<%S%9K832>uBV$K$9$k$3$H$b(B, $B=V;~$K$=$N$h$&$J>uBV$K$9$k$3$H$b(B
$B$G$-$k$h$&$K;W$$$^$9(B.

mbuf $B$,>/$J$/$J$k(B ($B$^$?$O8O3i$9$k(B) $B$H(B TCP $B@\B3$r$9$k>e$G$^$:2?$,:$$k$+(B
$B$H9M$($k$H(B, References $B$K$"$k(B iDEFENSE $B$N(B Security Advisory $B$K7G:\$5$l$F(B
$B$$$k$h$&$K(B,

> II. DESCRIPTION
[...]
> By sending many out-of-sequence packets, a low bandwidth denial of
> service attack is possible against FreeBSD. When the targeted system
> runs out of memory buffers (mbufs), it is no longer able to accept or
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> create new connections.
  ^^^^^^^^^^^^^^^^^^^^^^^

$B?75,$K(B TCP $B@\B3$r<u$1IU$1$k$3$H$,$G$-$J$/$J$k(B ($B$^$?$O:$Fq$K$J$k(B) $B$3$H$G$O(B
$B$J$$$G$7$g$&$+(B. $B$J$N$G(B,

>  04:04 $B$G$9!#(Ba low-bandwidth DoS attack $B$NLu8l$,(B
>  $B$$$^$$$A$J$N$G!"$40U8+Jg=8!#(B

$BK\Mh<u$1IU$1$k$3$H$,$G$-$k@\B3?t$h$j$b(B, $B967b$K$h$C$F@\B3?t$rITEv$K(B
$B>/$J$$>uBV$K$5$;$i$l$F$7$^$&2DG=@-$,$"$k$H$$$&$3$H$G(B, $B$=$N$^$^Lu$7$F(B
$B!VDcBS0h!W$^$?$O!V(BTCP $B@\B3$r:$Fq$K$9$k!W$G$O$I$&$G$9$+(B.

-- rushani
