Date: Wed, 17 Sep 2014 01:09:29 +0900 (JST) From: Tadaaki Nagao <nagao@iij.ad.jp> To: d@delphij.net, delphij@delphij.net Cc: freebsd-security@freebsd.org, steven@pyro.eu.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Message-ID: <20140917.010929.1161101766373361820.nagao@iij.ad.jp> In-Reply-To: <5418427B.9080909@delphij.net> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <5418427B.9080909@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
In "Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp",
Xin Li <delphij@delphij.net> wrote:
> > On 16/09/14 11:14, FreeBSD Security Advisories wrote:
> >> An attacker who has the ability to spoof IP traffic can tear down
> >> a TCP connection by sending only 2 packets, if they know both TCP
> >> port numbers.
> >
> > This may be a silly question but, if the attacker can spoof IP
> > traffic, can't the same be done with a single RST packet?
>
> By default RST has to be within the window if the connection is in
> ESTABLISHED state. So in order to do that the attacker still need to
> guess or know the sequence number.
No, in the case of RST packets, the check in tcp_input.c is much
narrower than the receiving window size.
Actually, it was the discussion in 2004 that the usual window size had
become large enough (64k or more?) for an attacker to easily guess the
sequence number by sending a feasible number of packets (2^32 /
window_size (<= 2^16)).
And this is also the case for SYN packets. I suspect that, even with the
patch in FreeBSD-SA-14:19.tcp applied, an attacker can still reset a
connection by sending the above mentioned number of SYN packets,
guessing a in-window sequence number.
See RFC5961, which discusses attack scenarios including these and
changes to the TCP specification.
--
Tadaaki Nagao <nagao@iij.ad.jp>
Internet Initiative Japan Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140917.010929.1161101766373361820.nagao>