COMMAND

    Mirror

SYSTEMS AFFECTED

    Mirror

PROBLEM

    Fabian  Melzow   found  following.    An  improper   use  of   the
    experimental netfilter MIRROR target, can be used to launch a  DoS
    attack against two  host, which mirror  the same protocol  on min.
    one port.   An attacker  can spoof  packet's, with  this  mirrored
    ports as source and destination and an high TTL, 255 for example.

    These  packet's  are  then  mirrored  on  each side, until the TTL
    reached  zero.   In  a  LAN  without  a router there packet's will
    never expire.

    Fabian tried this attack over the Internet with one packet,  where
    a  TTL  of  255  was  set,  between  Germany and Austria, with the
    result, that these packet was 30 times wrapped around.

    Evil minds can use this attack to crash these hosts or eat up  all
    the bandwidth, just by sending spoofed packets.

    It's  also  documented  in  the  Linux  kernel help, but you won't
    really think, that the TTL is not decremented, if you read  there,
    that the source and destination address of the packets is reversed.

SOLUTION

    Here are some possible workarounds:
    - Put a TTL decrement rule, for example

        iptables -p all -j TTL --ttl-dec 1

      or better,  a rule  with a  higher decrement  before the  MIRROR
      rule.
    - In  addition  set  a  strong  limit  on  the packetīs which  are
      mirrored.

    However, if you use the MIRROR target in the FORWARD chain of  the
    filter  table  (where  you  usually  would  place  it), the TTL is
    decremented.  Look at the code-flow through the IP stack:

        net/ipv4/ip_input.c:ip_rcv_finish()
        net/ipv4/route.c:ip_route_input()
        net/ipv4/ip_forward.c:ip_forward()
        - TTL is decremented / checked / packet dropped if TTL == 0
        - _afterwards_ the NF_IP_FORWARD hook is called and the
          FORWARD chain of the filter table traversed

    The  netfilter  core  team  will  provide  a solution for the only
    remaining case: Usage of the MIRROR target in INPUT or  PREROUTING
    chain.  In  this case, the  current MIRROR target  indeed violates
    the host requirements RFC, because it doesn't decrement the TTL.

    If  you  use   experimental  code  (explicitly   marked  as   "for
    demonstration  only")  in  production  environments, you know that
    you are doing it at your own risk.

    As  soon  as  you  use  the  MIRROR  target  without  any bandwith
    limiting, you will _always_ be  in a situation where somebody  can
    eat up  your outgoing  bandwith.   This is  a well-known fact, and
    obvious.