[FUG-BR] freebsd 9.1 + mpd + freeradius + mysql + DoS = panic

Marcelo Gondim gondim em bsdinfo.com.br
Terça Maio 21 08:41:21 BRT 2013 

Pessoal,

Conforme coloquei em outra mensagem aqui vão minhas configurações e 
script de teste. O kernel panic não é rápido mas depois de algumas horas 
de ataque o panic vem e vem lindo: http://pastebin.com/nUXGVR3y

Meu mpd.conf:
============
startup:
         # configure mpd users
         #set user foo bar admin
         set user suporte papatango
         set user admin tutumineiro admin
         # configure the console
         set console self 192.168.8.34 5005
         set console open
         # configure the web server
         set web self 0.0.0.0 5006
         set web open


default:
         load pppoe_server

pppoe_server:
         create bundle template B
         set iface disable proxy-arp
         set iface enable tcpmssfix
         set ipcp dns 8.8.8.8 8.8.4.4
         #set ipcp enable vjcomp
         set iface up-script /usr/local/etc/mpd5/addclient.sh
         set iface down-script /usr/local/etc/mpd5/removeclient.sh
         set ippool add pool1 10.10.0.1 10.10.255.254
         set ipcp ranges 10.51.0.1/32 ippool pool1
         create link template common pppoe
         #set link enable multilink
         set link action bundle B
         set link disable chap pap eap
         set link mtu 1492
         set link mru 1492
         set link enable pap
         load radius

         create link template igb1 common
         set pppoe iface igb1
         set pppoe acname "IntBSD1"
         set pppoe service "*"
         set link enable incoming
         set auth max-logins 1
         set link max-children 5000

         create link template igb2 common
         set pppoe iface igb2
         set pppoe acname "IntBSD2"
         set pppoe service "*"
         set link enable incoming
         set auth max-logins 1
         set link max-children 5000

         create link template igb3 common
         set pppoe iface igb3
         set pppoe acname "IntBSD3"
         set pppoe service "*"
         set link enable incoming
         set auth max-logins 1
         set link max-children 5000

radius:
     set radius server localhost xuxupedra 1812 1813
     set radius retries 3
     set radius timeout 3
     # send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
     set radius me 127.0.0.1
     # send accounting updates every 5 minutes
     set auth acct-update 300
     # enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
     set auth enable radius-auth
     # enable RADIUS accounting
     set auth enable radius-acct
     # protect our requests with the message-authenticator
     set radius enable message-authentic

###########################################################################

Meu ipfw de teste:
================
fw="/sbin/ipfw"
ext_if="igb0"
$fw disable one_pass
$fw -f flush
$fw zero
$fw table all flush
$fw -f pipe flush
ssh_port="4321"
$fw add allow all from any to any via lo0
$fw add deny all from 127.0.0.0/8 to any
$fw add deny all from any to 127.0.0.0/8
$fw add check-state

# velocidade de 1024kbps
$fw add pipe 1 ip from "table(10)" to any in via ng*
$fw add pipe 2 ip from any to "table(10)" out via ng*
$fw pipe 1 config bw 1024Kbit/s queue 128 mask src-ip 255.255.255.255
$fw pipe 2 config bw 1024Kbit/s queue 128 mask dst-ip 255.255.255.255

# velocidade de 2048kbps
$fw add pipe 3 ip from "table(11)" to any in via ng*
$fw add pipe 4 ip from any to "table(11)" out via ng*
$fw pipe 3 config bw 2048Kbit/s queue 256 mask src-ip 255.255.255.255
$fw pipe 4 config bw 2048Kbit/s queue 256 mask dst-ip 255.255.255.255

# velocidade de 10240kbps
$fw add pipe 5 ip from "table(12)" to any in via ng*
$fw add pipe 6 ip from any to "table(12)" out via ng*
$fw pipe 5 config bw 10240Kbit/s queue 1280 mask src-ip 255.255.255.255
$fw pipe 6 config bw 10240Kbit/s queue 1280 mask dst-ip 255.255.255.255

# velocidade de 64kbps
$fw add pipe 7 ip from "table(13)" to any in via ng*
$fw add pipe 8 ip from any to "table(13)" out via ng*
$fw pipe 7 config bw 64Kbit/s queue 8 mask src-ip 255.255.255.255
$fw pipe 8 config bw 64Kbit/s queue 8 mask dst-ip 255.255.255.255

$fw add allow icmp from any to any icmptypes 0,3,8,11,12
$fw add deny icmp from any to any

=============================================================

Nas regras acima criei algumas tables para controle de velocidade de teste.

PF Rules para NAT apenas:
======================
ext_if = "igb0"
table <masq> persist { 10.0.0.0/8 }
set skip on lo0
set limit states 40000
nat on $ext_if from <masq> to any -> 192.168.8.34

Os scripts addclient.sh e removeclient.sh só fazem adicionar e remover o 
IP que o usuário pegou na conexão, dentro da table correta da sua 
velocidade.

Abaixo foi o teste que fiz com o ataque DoS usando um outro freebsd. Fiz 
a conf do ppp.conf e depois o comando pra gerar as conexões.

Meu ppp.conf:
============
intnet:
   set device PPPoE:re0
   set mru 1492
   set mtu 1492
   set authname hercilia201254
   set authkey 12345
   set login
   set dial
   enable dns
   add default HISADDR
   set timeout 0
   open

Para gerar as muitas conexões basta pegar um outro freebsd com bons 
recursos de memória e processamento e mandar o comando no shell:

# for (( i=0; i < 3000; i++ )); do ppp -ddial intnet ; done

O usuário hercilia201254 está com a senha errada propositalmente para 
gerar logins incorretos.

Mandei e-mail para a lista freebsd-stable e a última resposta que obtive 
pelo Adrian Chadd:

No idea. Its likely there; jsut a different kind of race condition. :(

Brabo mesmo.  :(

Mais detalhes sobre a lista de discussão freebsd