Log message:
Code to disable IP options was removed early on in the u2.10.11 release
cycle, apparently due to a misunderstanding of what the code was trying to
accomplish. There are only a handful of IP options available today, and
none of them affect performance...whereas some (namely, source routing) can
affect security. The code that was removed (and which is added back in
this patch) disables those options. When a source route is removed, the
spoofed origin can't receive packets from the server. If the source route
were *not* removed, a spoofer would receive the anti-spoof ping, and thus
be able to return it, re-opening the IP spoof attack. Note: This does not
affect TCP options; those are critical to performance, but they are only
interpreted by the TCP layer, and thus are enclosed in the TCP-controlled
portion of the IP packet. IP options are contained in the IP header.
git-svn-id: file:///home/klmitch/undernet-ircu/undernet-ircu-svn/ircu2/trunk@539
c9e4aea6-c8fd-4c43-8297-
357d70d61c8c
+2001-07-27 Kevin L. Mitchell <klmitch@mit.edu>
+
+ * ircd/s_bsd.c: disable IP (*not* TCP) options to prevent
+ source-routed spoofing attacks; this is only available under
+ u2.10.11, so don't even bother, since no one but testers are using
+ the source base
+
2001-07-25 Kevin L. Mitchell <klmitch@mit.edu>
* include/ircd_policy.h: enable HEAD_IN_SAND_REMOTE by default
close(fd);
return;
}
+ /*
+ * Disable IP (*not* TCP) options. In particular, this makes it impossible
+ * to use source routing to connect to the server. If we didn't do this
+ * (and if intermediate networks didn't drop source-routed packets), an
+ * attacker could successfully IP spoof us...and even return the anti-spoof
+ * ping, because the options would cause the packet to be routed back to
+ * the spoofer's machine. When we disable the IP options, we delete the
+ * source route, and the normal routing takes over.
+ */
+ os_disable_options(fd);
/*
* Add this local client to the IPcheck registry.