From lwa@victor.teaser.fr  Thu Aug 16 06:54:37 2001
Return-Path: <lwa@victor.teaser.fr>
Received: from victor.teaser.fr (victor.teaser.fr [213.91.2.241])
	by hub.freebsd.org (Postfix) with ESMTP id 4FE2E37B409
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 16 Aug 2001 06:54:37 -0700 (PDT)
	(envelope-from lwa@victor.teaser.fr)
Received: by victor.teaser.fr (Postfix, from userid 1000)
	id 0DDF732607; Thu, 16 Aug 2001 15:54:31 +0200 (CEST)
Message-Id: <20010816135431.0DDF732607@victor.teaser.fr>
Date: Thu, 16 Aug 2001 15:54:31 +0200 (CEST)
From: Laurent Wacrenier <lwa@teaser.fr>
Reply-To: Laurent Wacrenier <lwa@teaser.fr>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: accept filters leave established connections without timeout
X-Send-Pr-Version: 3.113
X-GNATS-Notify: ru

>Number:         29774
>Category:       kern
>Synopsis:       accept filters leave established connections without timeout
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    alfred
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 16 07:00:11 PDT 2001
>Closed-Date:    Mon Aug 27 11:49:06 PDT 2001
>Last-Modified:  Mon Aug 27 11:50:44 PDT 2001
>Originator:     Laurent Wacrenier
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
France Teaser
>Environment:
System: FreeBSD victor.teaser.fr 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Tue Aug 7 14:51:14 CEST 2001 lwa@victor.teaser.fr:/usr/src/sys/i386/compile/VICTOR i386

apache-1.3.20 compiled from ports

>Description:

   When apache is used with httpready accept filter, the kernel notice
apache than a connection is avaiable if data match what httpready is
programmed for. On certain case, httpready keep the data without time
limit, leaving one connection established and wasting some mbuf.

After one day running, on a server never referenced and without any
documents :

% netstat -an -f inet | 'Proto|\.80'
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4    3818      0  213.91.2.241.80        213.30.133.122.4647    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.93.113.136.2698    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.57.142.158.11000   ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.8.86.29.2566       ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.250.62.21.3955     ESTABLISHED
tcp4    3818      0  213.91.2.241.80        62.10.54.49.2164       ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.176.53.5.1383      ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.242.144.68.1153    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.96.30.158.2110     ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.46.202.155.4871    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.221.18.242.3455    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.66.113.35.3087     ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.74.116.246.35836   ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.194.95.185.1390    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.64.213.5.16989     ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.131.135.241.1368   ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.147.49.210.2503    ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.132.46.58.3615     ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.32.45.66.3813      ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.217.37.10.1494     ESTABLISHED
tcp4    3818      0  213.91.2.241.80        213.132.49.86.63509    ESTABLISHED
tcp4       0      0  *.80                   *.*                    LISTEN

I suspect all this established connection are hits from Code Red worm.
Code Red is a worm running on Microsoft Windows systems that scan the
internet IP addresses to seek other Microsoft Windows systems on wich
it can install itself (with a preference for IP address on the same
Class A)

It may be a serious security issue because a malicious user will be
able to send the same sequence of TCP frames and buzy all avaiable
TCP connections slots in few minuts.

>How-To-Repeat:

  - install apache 1.3.20
  - kldload accf_http
  - start apache
  - wait some hours until few Code Red worms instance hit you

>Fix:

  Accept filters are not enable on the kernel by default, but if they
are, the apache port will use it without software configuration.

  Until accept filters are able to manage connection timeout :

     fix your kernel or your loader configuration to unload
     accept filters, so apache will be unable to use it. Then reboot.

  It will be a good thing to remove recommandation about the use of
  accept filter on the apache optimisation document about BSD.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->alfred 
Responsible-Changed-By: ru 
Responsible-Changed-When: Thu Aug 16 08:43:52 PDT 2001 
Responsible-Changed-Why:  
Alfred, could you please look at this? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29774 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/29774: accept filters leave established connections without timeout
Date: Thu, 16 Aug 2001 21:23:23 +0300

 ----- Forwarded message from Alfred Perlstein <alfred@FreeBSD.org> -----
 
 Date: Thu, 16 Aug 2001 12:21:55 -0500
 From: Alfred Perlstein <alfred@FreeBSD.org>
 To: ru@FreeBSD.org
 Cc: freebsd-bugs@FreeBSD.org
 
 * ru@FreeBSD.org <ru@FreeBSD.org> [010816 10:46] wrote:
 > Synopsis: accept filters leave established connections without timeout
 > 
 > Alfred, could you please look at this?
 
 I've already answered such questions before.
 
 Yes accept filters leave the connection open, however the connections
 will be dropped when SOMAXCON (or the listen(2) limit) is hit.
 
 I also suspect that you can enable keepalives on the listen
 socket to effect a timeout for incomming connections.
 
 Please let me know if this is acceptable.
 
 -- 
 -Alfred Perlstein [alfred@freebsd.org]
 Ok, who wrote this damn function called '??'?
 And why do my programs keep crashing in it?
 
 ----- End forwarded message -----
State-Changed-From-To: open->analyzed 
State-Changed-By: alfred 
State-Changed-When: Thu Aug 16 16:17:32 PDT 2001 
State-Changed-Why:  


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29774 
State-Changed-From-To: analyzed->feedback 
State-Changed-By: alfred 
State-Changed-When: Thu Aug 16 16:18:08 PDT 2001 
State-Changed-Why:  
waiting for originator to report possible solutions and actually 
explore the problem fully to determine if there actually exists 
a real way to DoS accept filters. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29774 
State-Changed-From-To: feedback->closed 
State-Changed-By: alfred 
State-Changed-When: Mon Aug 27 11:49:06 PDT 2001 
State-Changed-Why:  
originator timed out waiting for responce, and I'm confident that my 
explanation of how this actually works is sufficient although patches 
to add a timeout would be accepted. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29774 
>Unformatted:
