April 2005

ID: 00312
Ref: 287/2005
Date: 13 April 2005:15:13:16
Version: 1

---

Title: TCP Connections May Experience Performance Degradation If Certain ICMP Error Messages Are Received (57746)
Abstract:
Vendors affected: SuSe,Sun
Operating systems affected: SuSe,Sun
Applications affected: SuSe,Sun

---

Title
=====
TCP Connections May Experience Performance Degradation If Certain ICMP Error
Messages Are Received (57746)

Detail
======

PLEASE NOTE- The following is a plain text copy of a Sun SunSolve web page,
which is located at:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57746-1



Document Audience: PUBLIC
Document ID: 57746
Title: Sun TCP Connections May Experience Performance Degradation If Certain
ICMP Error Messages Are Received
Update Date: 2005-04-12

- --------------------------------------------------------------------------------
Description
- --------------------------------------------------------------------------------
Sun(sm) Alert Notification

Sun Alert ID: 57746
Synopsis: Sun TCP Connections May Experience Performance Degradation If Certain
ICMP Error Messages Are Received
Category: Security
Product: Solaris
BugIDs: 5084452
Avoidance: None
State: Committed
Date Released: 12-Apr-2005
Date Closed:
Date Modified:


1. Impact
This Sun Alert describes the Sun specific impact of the issues described in the
Internet-Draft (I-D) titled "ICMP attacks against TCP" written by Fernando Gont.
The I-D describes how TCP(7P) connections could be reset and disconnected as a
result of ICMP(7P) error messages. Solaris will not drop established TCP connections
based on ICMP errors. There is a theoretical possibility that a TCP connection
which is in the process of being set up could be terminated before being
established. However, there is no risk of data corruption or compromise in this
scenario.

The draft also describes ICMP messages which could impact the performance of
existing TCP connections. This issue affects all current versions of Solaris and
thus Sun plans on improving how ICMP errors are handled to further mitigate the
impact of such ICMP messages.

This issue is also described in the following documents:

IETF Internet Draft at
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt

CERT Vulnerability Note VU#222750 at http://www.kb.cert.org/vuls/222750

CVEs CAN-2004-0790 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0790

CVEs CAN-2004-0791 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0791


2. Contributing Factors
This issue can occur in the following releases:

SPARC Platform

Solaris 7
Solaris 8
Solaris 9
Solaris 10
x86 Platform

Solaris 7
Solaris 8
Solaris 9
Solaris 10

3. Symptoms
In order to verify if ICMP error messages are being sent to a specific system on
the network, network monitoring tool such as snoop(1M) can be used from either the
specific system or another system on the same network.

The following command can be run (as "root"):

# snoop -o
Afterwards, the snoop(1M) utility can display the packets captured in the "output-file"
using the "-v" and "-i" options, as in:

# snoop -v -i output-file icmp icmp6
and inspect the output for ICMP packets which will look similar to the following:

ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 0 (Echo reply)
ICMP: Code = 0 (ID: 5417 Sequence number: 0)
ICMP: Checksum = be96
ICMP:
If the "Type" value and the "Code" value (for multiple packets) are equal to any of the
following combinations:

Type Code Name
---- ---- -----------------
4 0 Source Quench
3 * Net/Host/Protocol/Port Unreachable, etc.
5 * Redirect
6 0 Alternate Host Address
11 * Time Exceeded
12 * Parameter Problem

then the system may be the target of the described ICMP issue.

- - --------------------------------------------------------------------------------
Solution Summary
- - --------------------------------------------------------------------------------

4. Relief/Workaround
There is no workaround for this issue at this time.

5. Resolution
A final resolution is pending completion.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert
notification may contain information provided by third parties. The issues described in
this Sun Alert notification may or may not impact your system(s). Sun makes no
representations, warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT
ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert
notification contains Sun proprietary and confidential information. It is being provided
to you pursuant to the provisions of your agreement to purchase services from Sun, or, if
you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.

Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
CA 95054 U.S.A. All rights reserved.

Applies To
-

Attachments
-