Page MenuHomeFreeBSD

Fix SAD DNS Exploit CVE-2020-25705

Authored by cy on Nov 30 2020, 3:10 AM.
Referenced Files
Unknown Object (File)
Sat, Sep 9, 1:07 PM
Unknown Object (File)
Aug 22 2023, 9:15 PM
Unknown Object (File)
Aug 21 2023, 6:58 PM
Unknown Object (File)
Jul 5 2023, 5:07 AM
Unknown Object (File)
Jul 2 2023, 8:24 PM
Unknown Object (File)
Jun 22 2023, 7:05 PM
Unknown Object (File)
May 6 2023, 9:06 AM
Unknown Object (File)
Mar 4 2023, 9:11 PM


Summary discusses a DNS poisoning attack by leveraging network side channels by attempting to solicit ICMP_UNREACH_PORT replies. The source port number can be inferred from the rate at which ICMP_UNREACH_PORT is rate limited. The solution, as implemented on Linux, is randomize rate limiting. This patch randomizes icmplim with a modulus of a random number divided by icmplim. This patch introduces a new icmpden (ICMP denominator) which is used to calculate the modulus. An icmpden of zero disables randomization.

Test Plan

To be determined at the moment.

Diff Detail

Lint Skipped
Tests Skipped

Event Timeline

cy requested review of this revision.Nov 30 2020, 3:10 AM

Use git diff -U99999 instead of git diff to create this patch. No functional change.

This patch is significantly smaller. The difference is icmplim could be exceeded by the modulus of the divisor whereas gnn's patch uses icmplim as an upper limit.

yuripv added inline comments.

Should the rest of the function use icmp_bandlim instead of V_icmplim?