From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 22:00:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD02516A4CE for ; Fri, 23 Apr 2004 22:00:15 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 685D843D3F for ; Fri, 23 Apr 2004 22:00:13 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.9p2/8.12.9) with ESMTP id i3O5057E053032; Fri, 23 Apr 2004 22:00:10 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <200404240500.i3O5057E053032@gw.catspoiler.org> Date: Fri, 23 Apr 2004 22:00:05 -0700 (PDT) From: Don Lewis To: silby@silby.com In-Reply-To: <20040423222922.F1915@odysseus.silby.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii cc: freebsd-security@FreeBSD.org Subject: Re: Proposed RST patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2004 05:00:15 -0000 On 23 Apr, Mike Silbersack wrote: > > Here's my proposed patch to change RST handling so that ESTABLISHED > connections are subject to strict RST checking, but connections in other > states are only subject to the "within the window" check. Part 2 of the > patch is simply a patch to netstat so that it displays the statistic. > > As expected, it's very straightforward, the only real question is what to > call the statistic... "Ignored RSTs in the window" isn't the best > description. > > FWIW, I've been testing with the exploit code > (reset-tcp-rfc31337-compliant.c from osvdb-4030-exploit.zip), and this > change does indeed defeat the attack. It took me a while to get the code > working, they really munged up the libnet calls, but I guess that was the > intent. > + if (tp->last_ack_sent != th->th_seq) { I'd reverse the operand order here to match the operand order of the enclosing "if" block. Other than that tiny nit, this looks fine. What is our status with regards to the spoofed SYN version of the attack?