From owner-doc-jp@jp.freebsd.org  Sun Aug 12 22:55:12 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id WAA06645;
	Sun, 12 Aug 2001 22:55:12 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp01.246.ne.jp (smtp01.246.ne.jp [210.253.192.35])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id WAA06640
	for <doc-jp@jp.freebsd.org>; Sun, 12 Aug 2001 22:55:12 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 15632 invoked by alias); 12 Aug 2001 22:55:06 +0900
Received: (qmail 15618 invoked from network); 12 Aug 2001 22:55:05 +0900
Received: from tp4hr051.246.ne.jp (HELO localhost) (210.253.193.51)
  by smtp.246.ne.jp with SMTP; 12 Aug 2001 22:55:05 +0900
Date: Sun, 12 Aug 2001 22:54:05 +0900 (JST)
Message-Id: <20010812.225405.74755960.y-koga@jp.FreeBSD.org>
To: doc-jp@jp.freebsd.org
From: Koga Youichirou <y-koga@jp.freebsd.org>
In-Reply-To: <20010809014423.29E6.ASATOH@pc.mycom.co.jp>
References: <20010809014423.29E6.ASATOH@pc.mycom.co.jp>
X-Mailer: Mew version 2.0.50 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: doc-jp 8331
Subject: [doc-jp 8331] Re: FreeBSD-SA-01:52
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

SATO Akihiro <asatoh@pc.mycom.co.jp>:
> $B$3$A$i$O$*=i$G$9!#:#8e$H$b$*8+CN$j$*$-$NDx$r!#(B

$B$3$s$K$A$O!#(B

> $B:#2s$O(BSA-01:52$B$NK]Lu$r$*Aw$j$7$^$9$N$G!"::FI$r$*4j$$$7$^$9!#(B

$BAG@2$i$7$$$G$9!#(B

$B$3$l$^$G$N(B FreeBSD-SA $B$H9g$o$;$k$?$a$K!"(B
http://www.ed.noda.sut.ac.jp/~j7301620/FreeBSD/doc-jp/announce-jp/FreeBSD-SA/freebsd-sa.txt
$B$b;29M$K$5$l$k$H$h$$$G$7$g$&!#",$K=q$$$F$"$kJ,$O!"$3$3$G$O?($l$^$;$s(B
($B%;%/%7%g%s%?%$%H%k$J$I(B)$B!#(B

> $B$A$J$_$K86J8$NJ}$G(BIV$B"*(BVI$B$HHV9f$,Ht$s$G$7$^$C$F$k$s$G$9$,!"$3$l$C$F$=$N$^(B
> $B$^$NJ}$,NI$$$s$G$7$g$&$+!)(B
> $B!t0l1~K]Lu$G$OHV9f$r?6$jD>$7$F$^$9!#(B

$B$I$A$i$G$b$h$$$H;W$$$^$9$,!"$$$:$l$K$;$hCm<a$rF~$l$F$*$/$H$h$$$G$7$g$&!#(B

> =============================================================================
> FreeBSD-SA-01:52                                            Security Advisory
>                                                                 FreeBSD, Inc.
> 
> Topic:		Denial of service using fragmented IPv4 packets
> $B%H%T%C%/(B:	$BCGJR2=$5$l$?(BIPv4$B%Q%1%C%H$r;H$C$?(BDoS$B967b(B

$BCGJR2=$b%U%i%0%a%s%H2=$b$I$A$i$b;H$$$^$9$M!#(B

$B$"$H!"(Bdoc-jp $B$G$O4A;z$H(B ASCII $B$N4V$K$O6uGr$rF~$l$F$$$^$9(B ($B$I$3$+$K$=$&(B
$B$$$&$3$H=q$$$?J8=q$J$$$+$J!)(B)$B!#$J$N$G!"(B

$B%H%T%C%/(B:	$BCGJR2=$5$l$?(B IPv4 $B%Q%1%C%H$r;H$C$?(B DoS

$B$H$J$j$^$9!#0J2<F1MM$G$9!#(B

DoS $B$O(B Attack $B$,$D$+$J$1$l$P967b$N0UL#$O$"$j$^$;$s(B ($B967b$K$D$$$F$NJ8=q(B
$B$G$O$"$j$^$;$s$7(B)$B!#(B

> $BCx<T(B:		"James Thomas" via NetBSD

via $B$OLu=P$7$?$$$G$9!#(B

> $B1F6AHO0O(B:	FreeBSD 3.x$B!"JB$S$K(B4.4$B$h$jA0$N(B4.x-RELEASE$BA4$F(B

$BA4$F"*$9$Y$F(B ($B0J2<F1MM(B)
$B!""*(B, 

> II. Problem Description
> II. $BLdBj$N@bL@(B
> 
> Remote users may be able to prevent a FreeBSD system from
> communicating with other systems on the network by transmitting large
> numbers of fragmented IPv4 datagrams.  For the attack to be effective,
> the attacker must have a high-bandwidth connection to the target
> system (for example, connected via a local network or over a fast
> remote network connection).
> $B%j%b!<%H%f!<%6!<$O(B, $BCGJR2=$5$l$?(BIPv4$B%G!<%?%0%i%`$rBgNL$KEAAw$9$k$3$H$K(B
> $B$h$C$F(B, FreeBSD$B%7%9%F%`$,%M%C%H%o!<%/>e$NB>$N%7%9%F%`$HDL?.$9$k$N$rK832(B
> $B$9$k$3$H$,$G$-$^$9(B. $B967b$K$h$k1F6ANO$r9b$a$k$?$a$K$O!"967b<T$O%?!<%2%C(B
> $B%H$H$J$k%7%9%F%`$KBP$7$F9bB.$K@\B3$G$-$k4D6-(B ($BNc(B: LAN$B7PM3$G$N@\B3(B, $B9bB.(B
> $B$J%j%b!<%H%M%C%H%o!<%/@\B3(B) $B$r;}$C$F$$$J$1$l$P$J$j$^$;$s!#(B

$B%f!<%6!<"*%f!<%6(B ($B0J2<F1MM(B)
$BEAAw$9$k"*Aw?.$9$k(B
$B967b$K$h$k1F6ANO$r9b$a$k$?$a$K$O"*967b$,M-8z$H$J$k$?$a$K$O(B
($B$3$3$NJ8$O5$;}$A$H$7$F$O$?$@$7=q$-$G$7$g$&(B)

> (e.g. if the system is a busy server which
> typically receives a lot of fragmented datagrams, you may want to set
> the value higher).
> ($BNc$($P(B, $BIaCJ$+$iCGJR2=$5$l$?%G!<%?%0%i%`(B
> $B$rBgNL$K<u?.$9$kK;$7$$%5!<%P!<$N>l9g$O(B, $B$3$NCM$r9b$a$K@_Dj$7$?$$$H;W$&(B
> $B$3$H$G$7$g$&(B)

$BNc$($P"*$?$H$($P(B
$B%5!<%P!<"*%5!<%P(B

> Note however that attackers are still able to prevent legitimate
> fragmented IPv4 traffic from being reassembled by flooding the system
> with bogus fragmented datagrams and keeping the reassembly queues
> full.  Unfragmented IPv4 communications will be unaffected by such an
> attack when this variable is set.
> $B$J$*(B, ($B%-%e!<$NNL$K>e8B$r@_Dj$7$?>l9g$G$b(B) $B967b<TB&$O(B, $BL50UL#$J%G!<%?%0(B
> $B%i%`$NCGJR$rBgNL$K%7%9%F%`$KAw$j$D$1(B, $B:F9=@.%-%e!<$,0lGU$N>uBV$KJ]$D$3(B
> $B$H$G(B, $B@5Ev$JCGJR2=$5$l$?(BIPv4$B%H%i%U%#%C%/$,:F9=@.$5$l$k$N$rK832$9$k$3$H(B
> $B$,$G$-$F$7$^$&$3$H$KCm0U$7$F2<$5$$(B. $B>e5-$NJQ?t$,@_Dj$5$l$F$$$k>l9g(B, $BCG(B
> $BJR2=$5$l$F$$$J$$(BIPv4$BDL?.$O967b$N1F6A$r<u$1$^$;$s(B.

$B2<$5$$"*$/$@$5$$(B ($B0J2<F1MM(B)

> IV. Workaround
> IV. $B;CDjBP1~(B
> This may provide a temporary solution until the patch can be applied:
> normally, it is the cluster mbufs which are exhausted by this attack.
> By setting NMBCLUSTERS to a higher value, you may be able to prevent
> the mbuf memory pool from being starved.
> $B$3$l$O%Q%C%A$,E,MQ$5$l$k$^$G$N4V$N0l;~E*$J2r7h:v$H$J$j$^$9(B: $BDL>o$3$N96(B
> $B7b$K$h$C$F8O3i$9$k$N$O%/%i%9%?$N%a%b%j%P%C%U%!$G$9(B. NBMCLUSTERS$B$NCM$r9b(B
> $B$/@_Dj$7$F$*$/$3$H$G(B, $B%a%b%j%P%C%U%!%W!<%k$,8O3i$9$k2DG=@-$,Dc$/$J$j$^(B
> $B$9(B.

:$B"*(B. ($B0J2<F1MM(B)

> VI.  Solution
> V.  $B2r7h:v(B
- snip -
> 2) To patch your present system: download the relevant patch from the
> below location, and execute the following commands as root:
> 2) $B%7%9%F%`$K%Q%C%A$rEv$F$k(B: $B2<5-$N>l=j$+$iE,@Z$J%Q%C%A$r%@%&%s%m!<%I$7(B,
> root$B8"8B$G2<5-$N%3%^%s%I$r<B9T$7$^$9(B.

$B%Q%C%A$rEv$F$k"*%Q%C%A$rE,MQ$9$k(B ($B0J2<F1MM(B)

> 3) FreeBSD 4.3-RELEASE systems:
> 3) FreeBSD 4.3-RELEASE $B%7%9%F%`(B:
> An experimental upgrade package is available for users who wish to
> provide testing and feedback on the binary upgrade process.
> $B%P%$%J%j%"%C%W%0%l!<%I%W%m%;%9$KBP$9$k<B83!&%U%#!<%I%P%C%/$K;22C$7$?$$(B
> $B%f!<%6!<$KBP$7$F$O(B, $B<B83E*$J%"%C%W%0%l!<%I%Q%C%1!<%8$,Ds6!$5$l$^$9(B.

$BDs6!$5$l$^$9"*Ds6!$5$l$F$$$^$9(B

> Since this vulnerability involves the FreeBSD kernel which is often
> locally customized on installed systems, a universal binary upgrade
> package is not feasible.
> $B:#2s$N%;%-%e%j%F%#%[!<%k$O(BFreeBSD$B%+!<%M%k$r4^$_(B, $B%+!<%M%k$O$h$/%$%s%9%H!<(B
> $B%k:Q$N%7%9%F%`$K$*$$$F%+%9%?%^%$%:$r<u$1$k$?$a$K(B, $BA4$F$KE,9g$9$k$h$&$J(B
> $B%P%$%J%j%"%C%W%0%l!<%I%Q%C%1!<%8$O:n@.$G$-$^$;$s(B.

$B!V:#2s$N%;%-%e%j%F%#>e$N<eE@$O(B FreeBSD $B%+!<%M%k$r4^$s$G$*$j(B, FreeBSD
$B%+!<%M%k$O%$%s%9%H!<%k$5$l$F$$$k%7%9%F%`$G%+%9%?%^%$%:$5$l$F$$$k$3$H$,(B
$B$7$P$7$P$"$k$N$G(B, $B$9$Y$F$K!D!W(B

> These backup copies will be
> reinstalled if the package is removed, reverting the system to a
> pre-patched state.
> $B%Q%C%1!<%8$,:o=|$5$l$k$H!"$3$l$i$N%P%C%/%"%C%W%U%!(B
> $B%$%k$O85$N0LCV$KLa$j(B, $B%7%9%F%`$O%Q%C%AA0$N>uBV$KLa$j$^$9(B.

$B%Q%C%AA0"*%Q%C%AE,MQA0(B
----
$B$3$,$h$&$$$A$m$&(B
