From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 11:21:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0C8B16A4CE for ; Wed, 21 Apr 2004 11:21:33 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 44AF943D39 for ; Wed, 21 Apr 2004 11:21:33 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 57586 invoked from network); 21 Apr 2004 18:21:31 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 21 Apr 2004 18:21:31 -0000 X-pair-Authenticated: 209.68.2.70 Date: Wed, 21 Apr 2004 13:47:35 -0500 (CDT) From: Mike Silbersack To: Don Lewis In-Reply-To: <200404211129.i3LBTH7E046516@gw.catspoiler.org> Message-ID: <20040421133638.S15588@odysseus.silby.com> References: <200404211129.i3LBTH7E046516@gw.catspoiler.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@FreeBSD.org cc: avalon@caligula.anu.edu.au Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2004 18:21:33 -0000 On Wed, 21 Apr 2004, Don Lewis wrote: > On 21 Apr, Mike Silbersack wrote: > > Would it be feasible for us to create a four to five element array to > > track "resettable" sequence numbers? This could hold the sequence numbers > > of the last few packets transmitted, and account for that edge case as > > well. I'm very uneasy with the IETF step C - sending more packets out > > into the network sounds like a new type of amplification attack. > > I'd be concerned about the extra memory, especially in cases where we > want to support very large numbers of connections. I don't think the memory would be prohibitive, but upon further thought I don't think the idea is advantageous. > As far as amplification, step C has a gain of less than one, since > packets are only transmitted if the incoming packet hits the window, and > they will be the same or smaller in size than the incoming packets. I > don't know if it would be valid to rate limit them ... Good point, I had forgotten about that. However, I'm still worried that sending those acks could have a downside. With all the tcp stacks out there, it seems probable that something will go wrong. > If this is the only edge case that we have to worry about, we might be > able change the test to: > > if (th->th_seq == tp->last_ack_sent || > th->th_seq == tp->last_ack_sent + tp->rcv_wnd - 1) { Ok, what if we do something like this: 1. Accept all RSTs meeting the criteria you just listed above. 2. Keep a global counter of all out of window RSTs that were received which corresponded to legitimate connections. (Don't track _all_ RSTs, or backscatter from scanners / etc will falsely be detected as an attack.) If we're over a certain threshold, set the "under attack" flag. 2a. This counter could also be per-socket, with a very low threshold. (I think I like this better, actually.) 3. If a RST arrives within the window, check the under attack flag; if we're under attack, drop it. If we're not under attack, accept it. Add to a counter tracking how many of these we received and what we did with them. With this setup, any attempt to run the brute-force RST attack *should* fail, unless the attack gets lucky enough to have one of his first few packets land in the window. However, it should still let oddball TCP stacks RST connections, because they're presumably going to land within the window on the first packet. This would also be easy to implement. :) Thoughts? Mike "Silby" Silbersack