[avahi] Linsys E4200: Received response with invalid source port
Christiano F. Haesbaert
haesbaert at haesbaert.org
Mon Oct 3 08:13:01 PDT 2011
On Mon, Oct 03, 2011 at 10:36:14AM -0400, Eric Martel wrote:
>
> Interesting opinion from a Cisco expert (I replaced non-useful text by "[...]");
> what do you thing of the possible security risks? I copied my original post on
> this list at the bottom for easier reference.
>
> <-- BEGIN OPINION -->
>
> Again. The RFC says "MUST silently ignore".
>
> avahi doesn't ignore it silently. It does something about which is not silent. [...]
>
> They should ignore it. Don't log anything. If they think it's beneficial for
> debugging, they should offer a configuration option that allows to enable more
> verbose logging and only then log the messages.
>
> [...]
>
> On the contrary: logging these messages could be use for a denial of service
> attack. It's a very easy way to generate log entries and thus fill up disk
> space. Send mdns packages with invalid source ports to the avahi daemon as fast
> as you can...
>
> Thus, with very good reason the RFC says it should be silently ignored.
You mean the draft.
> Incorrect packets should not do anything. They should not appear anywhere unless
> you specifically ask for this information, e.g. during debugging...
>
> [...]
>
> <-- END OPINION -->
It is a valid view, but you're missing one point, mdns is a
insecure-i-thrust-you-always protocol, so *anyone* can fuck up a mdns
machine easily. I can think of at least 5 or 6 ways to it, and it's
nothing special, mdns lets you borrow any machine resources for free.
Say for instance you just generate a lot of services, is avahi taking
into account a maximum number o services per host ? I bet it isn't,
the spec doesn't say anything also.
How about forcing mdns fragmentation of packets (the continuation
packets), you just fill that and it is gone.
But yes, not logging them would prevent your 'filing the disk'
problem, but again, I just don't see much relevance in it.
Anyways, the packet should be droped and 'silently ignored', I just
think silently ignoring harms more than helps.
I'm *not* trolling, I wrote a full mdns/dns-sd implementation so I've
some idea of what I'm talking about.
--
Christiano Farina HAESBAERT
Do NOT send me html mail.
More information about the avahi
mailing list