From: Kevin L. Mitchell Date: Fri, 27 Jul 2001 22:15:33 +0000 (+0000) Subject: Author: Kev X-Git-Url: http://git.pk910.de/?p=ircu2.10.12-pk.git;a=commitdiff_plain;h=82fce438e879fac0616e85ddcdd08bda92cfb85d Author: Kev Log message: Code to disable IP options was removed early on in the u2.10.11 release cycle, apparently due to a misunderstanding of what the code was trying to accomplish. There are only a handful of IP options available today, and none of them affect performance...whereas some (namely, source routing) can affect security. The code that was removed (and which is added back in this patch) disables those options. When a source route is removed, the spoofed origin can't receive packets from the server. If the source route were *not* removed, a spoofer would receive the anti-spoof ping, and thus be able to return it, re-opening the IP spoof attack. Note: This does not affect TCP options; those are critical to performance, but they are only interpreted by the TCP layer, and thus are enclosed in the TCP-controlled portion of the IP packet. IP options are contained in the IP header. git-svn-id: file:///home/klmitch/undernet-ircu/undernet-ircu-svn/ircu2/trunk@539 c9e4aea6-c8fd-4c43-8297-357d70d61c8c --- diff --git a/ChangeLog b/ChangeLog index 7f82a59..651c171 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2001-07-27 Kevin L. Mitchell + + * ircd/s_bsd.c: disable IP (*not* TCP) options to prevent + source-routed spoofing attacks; this is only available under + u2.10.11, so don't even bother, since no one but testers are using + the source base + 2001-07-25 Kevin L. Mitchell * include/ircd_policy.h: enable HEAD_IN_SAND_REMOTE by default diff --git a/ircd/s_bsd.c b/ircd/s_bsd.c index 049691c..5e78031 100644 --- a/ircd/s_bsd.c +++ b/ircd/s_bsd.c @@ -608,6 +608,16 @@ void add_connection(struct Listener* listener, int fd) { close(fd); return; } + /* + * Disable IP (*not* TCP) options. In particular, this makes it impossible + * to use source routing to connect to the server. If we didn't do this + * (and if intermediate networks didn't drop source-routed packets), an + * attacker could successfully IP spoof us...and even return the anti-spoof + * ping, because the options would cause the packet to be routed back to + * the spoofer's machine. When we disable the IP options, we delete the + * source route, and the normal routing takes over. + */ + os_disable_options(fd); /* * Add this local client to the IPcheck registry.