improper use of netfilter MIRROR target can cause DoS

[Fabian Melzow <biop0b () web de>]

An improper use of the experimental netfilter MIRROR target,
can be used to launch a DoS attack against two host, which
mirror the same protocol on min. one port.

An attacker can spoof packet´s, with this mirrored ports as source and
destination and an high TTL, 255 for example.

These packet´s are then mirrored on each side, until the TTL reached zero.
In a LAN without a router there packet´s will never expire. 

We tried this attack over the Internet with one packet, where a TTL of 255
was set, between Germany and Austria, with the result, that these packet was
30 times wrapped around.

Evil minds can use this attack to crash these hosts or eat up all the bandwidth,
just by sending spoofed packets.

It´s also documented in the Linux kernel help, but you won´t really think,
that the TTL is not decremented, if you read there, that the source and
destination address of the packets is reversed.


Here are some possible workarounds:

- Put a TTL decrement rule, for example  

   iptables -p all -j TTL --ttl-dec 1

  or better, a rule with a higher decrement before the MIRROR rule.

- In addition set a strong limit on the packet´s which are mirrored.

- Apply Michael´s little netfilter patch to ipt_MIRROR.c,
  which decrements the TTL by one. This patch can also be
  downloaded from
  http://www.unet.univie.ac.at/~a9900470/ipt_MIRROR-ttl.patch
  
- Don't use the MIRROR target. 



Fabian Melzow           Michael Bauer
biop0b () web de           mihi () gmx at

Attachment: ipt_MIRROR-ttl.patch
Description: ipt_MIRROR-ttl.patch