Sun TCP Connections May Experience Performance Degradation If Certain ICMP Error Messages Are Received |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 9 Operating System
Solaris 10 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
|
| Bug Id : | 5084452
|
| Date of Workaround Release : | 12-APR-2005
|
| Date of Resolved Release : | 07-DEC-2006
|
This Sun Alert describes the Sun specific impact of the issues described in the Internet-Draft (I-D) titled "ICMP attacks against TCP" written by Fernando Gont. The I-D describes how TCP(7P) connections could be reset and disconnected as a result of ICMP(7P) error messages. Solaris will not drop established TCP connections based on ICMP errors. There is a theoretical possibility that a TCP connection which is in the process of being set up could be terminated before being established. However, there is no risk of data corruption or compromise in this scenario.
The draft also describes ICMP messages which could impact the performance of existing TCP connections. This issue affects all current versions of Solaris and thus Sun plans on improving how ICMP errors are handled to further mitigate the impact of such ICMP messages.
This issue is also described in the following documents:
IETF Internet Draft at http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt
CERT Vulnerability Note VU#222750 at http://www.kb.cert.org/vuls/id/222750
CVEs CAN-2004-0790 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0790
CVEs CAN-2004-0791 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0791
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
x86 Platform
Symptoms
In order to verify if ICMP error messages are being sent to a specific system on the network, a network monitoring tool such as snoop(1M) can be used from either the specific system or another system on the same network.
The following command can be run (as "root"):
# snoop -o <output-file>
Afterwards, the snoop(1M) utility can display the packets captured in the "output-file" using the "-v" and "-i" options, as in:
# snoop -v -i output-file icmp icmp6
and inspect the output for ICMP packets which will look similar to the following:
ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 0 (Echo reply)
ICMP: Code = 0 (ID: 5417 Sequence number: 0)
ICMP: Checksum = be96
ICMP:
If the "Type" value and the "Code" value (for multiple packets) are equal to any of the following combinations:
Type Code Name
---- ---- -----------------
4 0 Source Quench
3 * Net/Host/Protocol/Port Unreachable, etc.
5 * Redirect
6 0 Alternate Host Address
11 * Time Exceeded
12 * Parameter Problem
then the system may be the target of the described ICMP issue.
Workaround
There is no workaround for this issue. Please see the Resolution section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
x86 Platform
Modification HistoryDate: 07-JUN-2005
Change History:
07-Jun-2005:
- Correction to CERT URL made in Impact section
Date: 02-FEB-2006
02-Feb-2006:
- Updated Contributing Factors and Resolution sections
Date: 03-MAR-2006
03-Mar-2006:
- Updated Contributing Factors and Resolution sections
Date: 21-MAR-2006
21-Mar-2006:
- Updated Contributing Factors and Resolution sections
Date: 12-APR-2006
12-Apr-2006:
- Updated Contributing Factors and Resolution sections
Date: 29-NOV-2006
29-Nov-2006:
- Updated Contributing Factors and Resolution sections
Date: 07-DEC-2006
07-Dec-2006:
- Updated Contributing Factors and Resolution sections
- State: Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
