From: Fabian Melzow <biop0b@web.de> To: bugtraq@securityfocus.com Subject: improper use of netfilter MIRROR target can cause DoS Date: Wed, 22 Aug 2001 00:02:08 +0200 (CEST) An improper use of the experimental netfilter MIRROR target, can be used to launch a DoS attack against two host, which mirror the same protocol on min. one port. An attacker can spoof packetīs, with this mirrored ports as source and destination and an high TTL, 255 for example. These packetīs are then mirrored on each side, until the TTL reached zero. In a LAN without a router there packetīs will never expire. We tried this attack over the Internet with one packet, where a TTL of 255 was set, between Germany and Austria, with the result, that these packet was 30 times wrapped around. Evil minds can use this attack to crash these hosts or eat up all the bandwidth, just by sending spoofed packets. Itīs also documented in the Linux kernel help, but you wonīt really think, that the TTL is not decremented, if you read there, that the source and destination address of the packets is reversed. Here are some possible workarounds: - Put a TTL decrement rule, for example iptables -p all -j TTL --ttl-dec 1 or better, a rule with a higher decrement before the MIRROR rule. - In addition set a strong limit on the packetīs which are mirrored. - Apply Michaelīs little netfilter patch to ipt_MIRROR.c, which decrements the TTL by one. This patch can also be downloaded from http://www.unet.univie.ac.at/~a9900470/ipt_MIRROR-ttl.patch - Don't use the MIRROR target. Fabian Melzow Michael Bauer biop0b@web.de mihi@gmx.at diff ipt_MIRROR.c ipt_MIRROR-ttl.c /usr/src/linux/net/ipv4/netfilter/ipt_MIRROR.c # this patch causes ipt_MIRROR to decrement ttl when mirroring # written by Michael Bauer <mihi@gmx.at> no warranties 73a74 > iph->ttl--;