From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:27:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C5FA7E4 for ; Tue, 16 Sep 2014 13:27:21 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id E6E6BD1A for ; Tue, 16 Sep 2014 13:27:20 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id 5CEE933C1E for ; Tue, 16 Sep 2014 09:20:07 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 738EA3985D; Tue, 16 Sep 2014 09:20:06 -0400 (EDT) From: Lowell Gilbert To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> Date: Tue, 16 Sep 2014 09:20:05 -0400 In-Reply-To: <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> (Mark Felder's message of "Tue, 16 Sep 2014 07:35:26 -0500") Message-ID: <44y4tjwvlm.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 13:27:21 -0000 Mark Felder writes: > On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote: >> Hi, >> >> On 16/09/14 11:14, FreeBSD Security Advisories wrote: >> > An attacker who has the ability to spoof IP traffic can tear down a >> > TCP connection by sending only 2 packets, if they know both TCP port >> > numbers. >> >> This may be a silly question but, if the attacker can spoof IP traffic, >> can't the same be done with a single RST packet? >> > > Yes, this is how Sandvine anti-piracy products work. They detect you > torrenting/P2P and then send an RST spoofed from the other end. You can > defeat this by dropping RST altogether, which is what many people do. > It's better if they don't blindly block all RST, and only to the ports > they use for P2P... That's not quite the same; that's a full man-in-the-middle attack on the connection, so all of the connection information is available. The problem being fixed here allowed an attacker to do that without knowing the sequence numbers. > I'm torn on calling this an actual security problem. It's certainly a > bug -- defeated by a stateful firewall, as detailed in the SA -- but if > someone can spoof the traffic... you've a problem at a different layer > :-) Spoofing traffic is pretty easy. The reason it isn't generally a problem is that knowing what to spoof is more difficult. [I assume that's what feld@ actually meant, but it's an important distinction.]