[Bug 287229] IP reassembly issue in FreeBSD 14.1

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 20 Jun 2025 17:11:44 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287229

--- Comment #31 from Gleb Smirnoff <glebius@FreeBSD.org> ---
On Fri Jun 20 10:03:19  2025 UTC, lucas.aubard@irisa.fr wrote:
> We are currently working on Network Intrusion Detection Systems (NIDS) evasion
> with overlapping IP fragments or TCP segments.
> Some NIDSes (Suricata, Snort) propose configuring their IP and TCP reassemblies
> based on the supervised host OSes as an evasion countermeasure to
> overlapping-based attacks. In that context, we test OSes (and other stacks) to
> obtain and describe their reassembly policies so NIDSes can implement and
> propose them.
> From a NIDS perspective, OS reassembly consistency is thus quite important.

Security wise, the coin has two sides.  If an attacker can predict what exact
fragments would be freed once a system runs out of reassembly queue limits,
then they can instrument attacks that would target specific connections.

In FreeBSD we salt the hash with a random seed:

        V_ipq_hashseed = arc4random();

This makes distribution of fragment reassemble queue across the hash slots not
predictable by the attacker.  For your experiments, you can disable that.  But
for the general use of the system, we consider that not a bug, but a feature.

-- 
You are receiving this mail because:
You are on the CC list for the bug.