Closed eyalsoha closed 4 years ago
tamird
commented
4 years ago The network-layer source and destination addresses are parsed here: https://github.com/google/gvisor/blob/83ab47e87badd8b46f784739903361d9f824fa2c/pkg/tcpip/stack/nic.go#L820. That's probably where we should handle this case.
eyalsoha
commented
4 years ago Is the right thing there to drop all packets where:
?
We would like to drop any packet that couldn't be valid. If those packets are coming from outside gVisor, they shouldn't have a source address that gVisor "owns". That is, gVisor already has a NIC with that address.
But if that function is reached even from packets that gVisor generates, for example, one endpoint pinging another in the same system, then we need to be more careful.
tamird
commented
4 years ago A much more recent document on this attack is https://tools.ietf.org/html/rfc4987.
gVisor will process packets with the source IP address equal to the interface's address, though it shouldn't.
Following the guidelines in CERT Advisory CA-96.21 III. Solution, a device shouldn't accept packets from an internal IP address. Nor should it be willing to generate a packet that isn't from an internal address.
So if gVisor gets a packet where the source IP address is equal to one of the interface's addresses, it should drop it, because no other device should be able to make packets like that. gVisor doesn't drop it, though. In the case of a SYN packet, the endpoint will SYN, SYNACK, and RST itself.