Page MenuHomeFreeBSD

Fix SAD DNS Exploit CVE-2020-25705
AbandonedPublic

Authored by cy on Nov 30 2020, 3:10 AM.

Details

Summary

https://www.saddns.net/ discusses a DNS poisoning attack by leveraging network side channels by attempting to solicit ICMP_UNREACH_PORT replies. The source port number can be inferred from the rate at which ICMP_UNREACH_PORT is rate limited. The solution, as implemented on Linux, is randomize rate limiting. This patch randomizes icmplim with a modulus of a random number divided by icmplim. This patch introduces a new icmpden (ICMP denominator) which is used to calculate the modulus. An icmpden of zero disables randomization.

Test Plan

To be determined at the moment.

Diff Detail

Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

cy requested review of this revision.Nov 30 2020, 3:10 AM

Use git diff -U99999 instead of git diff to create this patch. No functional change.

This patch is significantly smaller. The difference is icmplim could be exceeded by the modulus of the divisor whereas gnn's patch uses icmplim as an upper limit.

yuripv added inline comments.
sys/netinet/ip_icmp.c
1141

Should the rest of the function use icmp_bandlim instead of V_icmplim?