[Bug 209491] Broadcast storm with ipfw+natd+gateway

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat May 14 01:03:19 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209491

            Bug ID: 209491
           Summary: Broadcast storm with ipfw+natd+gateway
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cejkar at fit.vutbr.cz

After commit 290383 (replace fastforward path with tryforward), there is
atleast one possible system configuration, which can be source of broadcast
storm. Simply put in your /etc/rc.conf:

    firewall_enable="YES"
    firewall_type="OPEN"

    natd_enable="YES"
    natd_interface="em0"

    gateway_enable="YES"

After reboot, you have a divert rule in ipfw with runnig natd:

    00050 divert 8668 ip4 from any to any via em0

Then, simply send a broadcast to this system, and it responds with 2 * (TTL -
1) broadcasts sent back.

Have atleast two of these systems on one local subnet with configured samba
server, which sends one broadcast per minute, and this is practically
sufficient to shut down your site with broadcast storm.

Pre-290383 system just receives the broadcast:

08:55:25.167489 IP 10.0.2.4.21680 > 10.0.2.255.netbios-ns: [|SMB]

After-290383 system with IP 10.0.2.15 receives the broadcast, and then responds
with 126 broadcasts with reowned(translated) source address:

09:02:33.939027 IP 10.0.2.4.21490 > 10.0.2.255.netbios-ns: [|SMB]
09:02:33.939255 IP 10.0.2.15.21490 > 10.0.2.255.netbios-ns: [|SMB]
09:02:33.939303 IP 10.0.2.15.21490 > 10.0.2.255.netbios-ns: [|SMB]
09:02:33.939472 IP 10.0.2.15.44294 > 10.0.2.255.netbios-ns: [|SMB]
09:02:33.939524 IP 10.0.2.15.44294 > 10.0.2.255.netbios-ns: [|SMB]
09:02:33.939630 IP 10.0.2.15.40288 > 10.0.2.255.netbios-ns: [|SMB]
09:02:33.939661 IP 10.0.2.15.40288 > 10.0.2.255.netbios-ns: [|SMB]
...

(I thought that it was just one or two replied broadcasts, but in my testing
environment in VirtualBox with two systems, one sending broadcast and one
storming, it really showed this output and I could not find any other
explanation of this. However, example above with one samba server and three
storming systems was really real...)

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list