Original issue date: December 21, 1998<BR>
Last revised: --<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<P>Some systems with BSD-derived TCP/IP stacks. See
  <A HREF="#AppendixA" target="">Appendix A</A> for a complete
  list of affected systems. </P>


<P>Intruders can disrupt service or crash systems with vulnerable
TCP/IP stacks.  No special access is required, and intruders can use
source-address spoofing to conceal their true location. </P>

<H2>I. Description</H2>

<P>By carefully constructing a sequence of packets with certain
characteristics, an intruder can cause vulnerable systems to crash,
hang, or behave in unpredictable ways. This vulnerability is similar
in its effect to other denial-of-service vulnerabilities, including
the ones described in </P>


<P> <A HREF="http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html">http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html</A></P>

<P>Specifically, intruders can use this vulnerability in conjunction
with IP-source-address spoofing to make it difficult or impossible to
know their location. They can also use the vulnerability in
conjunction with broadcast packets to affect a large number of
vulnerable machines with a small number of packets.</P>

<H2>II. Impact</H2>

<P>Any remote user can crash or hang a vulnerable machine, or cause
the system to behave in unpredictable ways. </P>

<H2>III. Solution</H2>

<H3>A. Install a patch from your vendor. </H3>

<P><A HREF="#AppendixA">Appendix A</A> contains input from vendors 
who have provided information for this advisory. We will update the appendix as 
we receive more information. If you do not see your vendor's name, the CERT/CC 
did not hear from that vendor. Please contact your vendor directly. </P>

<H3>B. Configure your router or firewall to help prevent source-address  spoofing.</H3>

<P>We encourage sites to configure their routers or firewalls to
reduce the ability of intruders to use source-address
spoofing. Currently, the best method to reduce the number of
IP-spoofed packets exiting your network is to install filtering on
your routers that requires packets leaving your network to have a
source address from your internal network. This type of filter
prevents a source IP-spoofing attack from your site by filtering all
outgoing packets that contain a source address of a different

<P>A detailed description of this type of filtering is available in
<A HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt"
target="">RFC 2267</A>, "Network Ingress Filtering: Defeating Denial
of Service Attacks which employ IP Source Address Spoofing" by Paul
Ferguson of Cisco Systems, Inc. and Daniel Senie of Blazenet, Inc. We
recommend it to both Internet Service Providers and sites that manage
their own routers. The document is currently available at


<P> <A HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt">http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt</A></P>

<P>Note that this type of filtering does not protect a site from the
attack itself, but it does reduce the ability of intruders to conceal
their location, thereby discouraging attacks.</P>

<H1><A NAME="AppendixA"></A>Appendix A - Vendor Information</H1>

<P><U>Berkeley Software Design, Inc. (BSDI)</U></P>

<P>BSDI's current release BSD/OS 4.0 is not vulnerable to this problem. 
BSD/OS 3.1 is vulnerable and a patch (M310-049) is available from BSDI's WWW server 
at <A HREF="http://www.bsdi.com/support/patches">http://www.bsdi.com/support/patches</A> 
or via our ftp server from the directory <A HREF="ftp://ftp.bsdi.com/bsdi/patches/patches-3.1">ftp://ftp.bsdi.com/bsdi/patches/patches-3.1</A>. 

<P><U>Cisco Systems</U></P>

<P>Cisco is not vulnerable.</P>

<P><U>Compaq Computer Corporation</U></P>

<P>SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer 
Corporation. </P>

<P>All rights reserved. </P>

<P>SOURCE: Compaq Computer Corporation<BR>
Compaq Services<BR>
Software Security Response Team USA </P>

<P>This reported problem is not present for the as shipped, Compaq's 
Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software. </P>

<P>- Compaq Computer Corporation </P>

<P><U>Data General Corporation</U></P>

<P>We are investigating. We will provide an update when our investigation 
is complete.</P>

<P><U>FreeBSD, Inc.</U></P>

<P>FreeBSD 2.2.8 is not vulnerable. <BR>
FreeBSD versions prior to 2.2.8 are vulnerable. <BR>
FreeBSD 3.0 is also vulnerable. <BR>
FreeBSD 3.0-current as of 1998/11/12 is not vulnerable.</P>

<P>A patch is available at <A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch"> 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch</A> </P>


<P>Regarding this vulnerability, Fujitsu's UXP/V operating system 
is not vulnerable.</P>

<P><U>Hewlett-Packard Company</U></P>

<P>HP is not vulnerable. </P>

<P><U>IBM Corporation</U> </P>

<P>AIX is not vulnerable. </P>

<P>IBM and AIX are registered trademarks of International Business 
Machines Corporation.</P>

<P><U>Livingston Enterprises, Inc.</U></P>

<P>Livingston systems are not vulnerable. </P>

<P><U>Computer Associates International</U></P>

<P>CA systems are not vulnerable.</P>

<P><U>Microsoft Corporation</U></P>

<P>Microsoft is not vulnerable. </P>

<P><U>NEC Corporation</U></P>

<P>NEC Corporation EWS-UX, UP-UX and UX/4800 Unix systems are not 
vulnerable to this problem.</P>


<P>Security fixes for this problem are now available for 2.3 and 
2.4. </P>

<P>For 2.3, see </P>

<P> <A HREF="http://www.openbsd.org/errata23.html#tcpfix%20" target="">www.openbsd.org/errata23.html#tcpfix</A> 

<P>For our 2.4 release which is available on CD on Dec 1, see </P>

<P><A HREF="http://www.openbsd.org/errata.html#tcpfix%20">www.openbsd.org/errata.html#tcpfix 

<P>The bug is fixed in our -current source tree.</P>

<P><U>Sun Microsystems, Inc.</U></P>

<P>We have confirmed that SunOS and Solaris are not vulnerable to 
the DOS attack.</P>

<P><U>Wind River Systems, Inc.</U></P>

<P>We've taken a look at our networking code and have determined 
that this is not a problem in the currently shipping version of the VxWorks RTOS.</P>

<P>The vulnerability was originally discovered by Joel Boutros of the
Enterprise Security Services team of Cambridge Technology
Partners. Guido van Rooij of FreeBSD, Inc., provided an analysis of
the vulnerability and information regarding its scope and extent.</P>

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1998 Carnegie Mellon University.</p>


Revision History