From root@mail.martens.ro  Tue Feb  1 15:46:22 2005
Return-Path: <root@mail.martens.ro>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5CB5216A4D8
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Feb 2005 15:46:22 +0000 (GMT)
Received: from mail.martens.ro (martens.ro [81.196.54.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1EB4343D48
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Feb 2005 15:46:21 +0000 (GMT)
	(envelope-from root@mail.martens.ro)
Received: from localhost (localhost.martens.ro [127.0.0.1])
	by mail.martens.ro (Postfix) with ESMTP id A58A92A6A7
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Feb 2005 17:35:34 +0200 (EET)
Received: from mail.martens.ro ([127.0.0.1])
 by localhost (mail.martens.ro [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 03483-04 for <FreeBSD-gnats-submit@freebsd.org>;
 Tue,  1 Feb 2005 17:35:28 +0200 (EET)
Received: by mail.martens.ro (Postfix, from userid 0)
	id 415C82A6A6; Tue,  1 Feb 2005 17:35:28 +0200 (EET)
Message-Id: <20050201153528.415C82A6A6@mail.martens.ro>
Date: Tue,  1 Feb 2005 17:35:28 +0200 (EET)
From: Emil Cazamir <emil.cazamir@galati.rdsnet.ro>
Reply-To: Emil Cazamir <emil.cazamir@galati.rdsnet.ro>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: udp/520 reply packets when routed is not running 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76966
>Category:       kern
>Synopsis:       udp/520 reply packets when routed is not running
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 01 15:50:17 GMT 2005
>Closed-Date:    Fri Feb 09 03:53:26 GMT 2007
>Last-Modified:  Fri Feb 09 03:53:26 GMT 2007
>Originator:     Emil Cazamir
>Release:        FreeBSD 4.11-PRERELEASE i386
>Organization:
none
>Environment:
System: FreeBSD mail.martens.ro 4.11-PRERELEASE FreeBSD 4.11-PRERELEASE #2: Tue Dec 14 11:58:06 EET 2004 root@mail.martens.ro:/usr/src/sys/compile/MARTENS i386
>Description:
	The FreeBSD kernel seems to respond to udp/520 packets even when
there is no such daemon running. A host in an ethernet network is sending
this type of packets, sending them to ethernet broadcast address and his
subnet's broadcast address and this machine send answer packets, sending
them to the default gateway's MAC address. I believe that this kind of
replies should be send only if this machine is running a routing daemon,
such as "routed", which is not the case.
	
>How-To-Repeat:
	
tcpdump -nvi [interface] -p udp and port 520:
0:0:0:0:0:1 is my gateway's MAC address, 0:0:0:0:0:2 is my external
interface's MAC address
17:03:32.185977 0:f:3d:47:8b:de ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.186153 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.186172 0:f:3d:47:8c:9b ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.186325 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.189453 0:f:3d:47:8b:de ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.189620 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.189644 0:f:3d:47:8c:9b ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.189800 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.190279 0:f:3d:47:8b:de ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.190447 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.190486 0:f:3d:47:8c:9b ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.190659 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
17:03:32.190698 0:f:3d:47:8b:de ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
> 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
[root@mail] ~# ps ax | grep routed
 7390  p0  R+     0:00.00 grep routed
 [root@mail] ~# sockstat | grep 520
 [root@mail] ~# lsof | grep 520
 master     446    root   14u  PIPE 0xca3f2520      16384
->0xca3f2480
 master     446    root   15u  PIPE 0xca3f2480      16384
->0xca3f2520
 snmpd      468    root    8u  PIPE 0xca6475c0      16384
->0xca647520
 snmpd      468    root    9u  PIPE 0xca647520      16384
->0xca6475c0
 grep      7396    root  txt   VREG 116,131078      52000 202581
/usr/bin/grep

this may lead to network problems if there is a mis-configured "routed" in a
network with a large number of FreeBSD 4.x machines by generating a large 
number of packets, possibly directed to the default router of each machine. 
If the source machine will send 300 packets/second (to ethernet broadcast) 
every FreeBSD 4.x machine will generate a reply which will be sent back to 
the network, directed to the subnet's broadcast address directly or through 
the default router, generating what we know as "braodcast storm" or "denial of
service" similar to smurf.


>Fix:

	
	Temporary fix: 
		ipfw add 1 deny udp from any to any via _if_ 520
	The real solution to the problem: 
		unknown
>Release-Note:
>Audit-Trail:

From: David Malone <dwmalone@maths.tcd.ie>
To: Emil Cazamir <emil.cazamir@galati.rdsnet.ro>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/76966: udp/520 reply packets when routed is not running
Date: Sun, 6 Feb 2005 17:41:15 +0000

 On Tue, Feb 01, 2005 at 05:35:28PM +0200, Emil Cazamir wrote:
 > >Description:
 > 	The FreeBSD kernel seems to respond to udp/520 packets even when
 > there is no such daemon running.
 
 There's no code in the FreeBSD kernel for doing this, however I think
 I know what is going on...
 
 > 17:03:32.185977 0:f:3d:47:8b:de ff:ff:ff:ff:ff:ff 0800 60: 192.168.0.10.520
 > > 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
 > 17:03:32.186153 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
 > 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
 
 Your FreeBSD maching gets a packet for 192.168.0.255 - I suspect
 you have the netmask on your FreeBSD machine set incorrectly so it
 does not consider this a broadcast address. Consequently, it probably
 considers this a misdirected packet and so sends an ICMP redirect
 and then forwards the packet, in this case to the default router.
 
 I'm not sure why the source address on the packet has changed -
 that bit seems a bit odd.
 
 	David.

From: "Emil Cazamir" <emil.cazamir@galati.rdsnet.ro>
To: <dwmalone@maths.tcd.ie>
Cc: <FreeBSD-gnats-submit@FreeBSD.org>
Subject: RE: kern/76966: udp/520 reply packets when routed is not running
Date: Mon, 7 Feb 2005 12:53:08 +0200

 -----Original Message-----
 From: dwmalone@maths.tcd.ie [mailto:dwmalone@maths.tcd.ie] 
 Sent: 6 februarie 2005 19:41
 To: Emil Cazamir
 Cc: FreeBSD-gnats-submit@FreeBSD.org
 Subject: Re: kern/76966: udp/520 reply packets when routed is not running
 
 On Tue, Feb 01, 2005 at 05:35:28PM +0200, Emil Cazamir wrote:
 > >Description:
 > 	The FreeBSD kernel seems to respond to udp/520 packets even when
 > there is no such daemon running.
 
 There's no code in the FreeBSD kernel for doing this, however I think
 I know what is going on...
 
 > 17:03:32.185977 0:f:3d:47:8b:de ff:ff:ff:ff:ff:ff 0800 60:
 192.168.0.10.520
 > > 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
 > 17:03:32.186153 0:0:0:0:0:2 0:0:0:0:0:1 0800 60: 192.168.1.33.520 >
 > 192.168.0.255.520:  RIPv1-resp [items 0]: (DF)
 
 Your FreeBSD maching gets a packet for 192.168.0.255 - I suspect
 you have the netmask on your FreeBSD machine set incorrectly so it
 does not consider this a broadcast address. Consequently, it probably
 considers this a misdirected packet and so sends an ICMP redirect
 and then forwards the packet, in this case to the default router.
 
 I'm not sure why the source address on the packet has changed -
 that bit seems a bit odd.
 
 	David.
 
 There is no problem with the netmask, there are several subnets sharing the
 same wire. I lokked into few kernel config files and I didn't found anything
 specific. I think that the cause of what's happening is somewhere in
 natd/libalias, all the machines which respond to [or  forward] udp/520
 packets are running natd. I will make available kernel config files, process
 listings, etc if it is required.
 
 
State-Changed-From-To: open->feedback 
State-Changed-By: bms 
State-Changed-When: Mon Sep 25 17:43:59 UTC 2006 
State-Changed-Why:  
libalias has had a rewrite since then. Have you tried a newer release? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76966 
State-Changed-From-To: feedback->closed 
State-Changed-By: bms 
State-Changed-When: Fri Feb 9 03:53:12 UTC 2007 
State-Changed-Why:  
timeout on feedback 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76966 
>Unformatted:
