Bug 12354

Summary: Possible Denial of Service when using dhcp on red
Product: IPFire Reporter: Jonatan Schlag <jonatan.schlag>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: Will affect most users CC: andreas, arne.fitzenreiter, jonatan.schlag, michael.tremer, peter.mueller
Version: 2   
Hardware: all   
OS: All   
Attachments: Logs of the Firewall, reduced to the interesting parts

Description Jonatan Schlag 2020-04-07 15:46:22 UTC

I will a further Information when this bug is marked as private.

Comment 1 Jonatan Schlag 2020-04-07 15:56:41 UTC

on the third of February 2020, the dhcpc daemon crashed, due to a segfault. This segfault seems to be caused by an invalid UDP Package that was sent from an IP address which does not belong to my ISP.

Attached are logs of all events when the dhcpc daemon encountered an invalid UDP package.

I substituted all internal IP addresses with corresponding strings.

Comment 2 Jonatan Schlag 2020-04-07 15:59:50 UTC
Created attachment 741 [details]
Logs of the Firewall, reduced to the interesting parts
Comment 3 Peter Müller 2020-04-07 18:45:46 UTC
Just some details regarding the mentioned IPs:
-> AS20940 (Akamai Technologies)
-> Estimated location: Amsterdam, NL
-> AS15169 (Google LLC)
-> Estimated location: ? (Somewhere in Central Europe)
-> AS31334 (Vodafone Kabel Deutschland GmbH)
-> Estimated location: ?, DE
-> AS6057 (Administracion Nacional de Telecomunicaciones)
-> Estimated location: ?, BO

In my opinion, Vodafone/Kabel Deutschland has a major problem with the packet filters (if any) at their perimeters. Although I do not expect any answer, we should let them know about this as soon as this bug has been solved.
Comment 4 Peter Müller 2020-04-10 11:00:11 UTC
Trying to get a contact to the firewall folks at Kabel Deutschland...
Comment 5 Michael Tremer 2020-04-14 14:55:25 UTC
(In reply to Peter Müller from comment #4)
> Trying to get a contact to the firewall folks at Kabel Deutschland...

A customer can confirm that this is happening on Vodafone's network somewhere in Eastern Germany.

Jonatan, could you please install c143, which has an updated version of dhcpcd as soon as you can?
Comment 6 Arne.F 2020-04-14 16:33:52 UTC
Please test core144 from unstable. This contains only dhcpcd 9.00 yet.
Comment 8 Michael Tremer 2020-04-22 17:33:18 UTC
> https://blog.ipfire.org/post/ipfire-2-25-core-update-144-is-available-for-testing

Can somebody confirm that this is fixed?
Comment 9 Andreas Zweili 2020-04-23 15:27:20 UTC
I'm installing update 144 now since I wrote this post:

However I have no idea when I should report back that it works.
It can work fine for two - three weeks and at other times happen every few days.