From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 16:14:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D92A04C4 for ; Tue, 16 Sep 2014 16:14:55 +0000 (UTC) Received: from omgo.iij.ad.jp (mo30.iij.ad.jp [202.232.30.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8BFBB611 for ; Tue, 16 Sep 2014 16:14:54 +0000 (UTC) DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=iij.ad.jp;h=Date: Message-Id:To:Cc:Subject:From:In-Reply-To:References:Mime-Version: Content-Type:Content-Transfer-Encoding;i=nagao@iij.ad.jp;s=omgo2;t= 1410883776; x=1412093376; bh=uM2FLxoDXPeQWIEjg33FRTScPJIAbd5b8lk8w/lKKCs=; b=Wy/ 5+xSqZ7pSnLMt9PTFiPLzf3zuYlnZbJeH3+VcOdF/swJbp/Lt4LsIWHjDZuya/HerFSHe0VDis4Mc NUbS+/VyHS+o77kBTjiU/ccyBlE1vGXAlRZ9xopKDImP8mmETlY/mK7VB2G/u5Vof4vBW7lkPlLok S2U2/Oj8LZ9TWJ9WHGr8ebvO08GqDwCmUZ3IBYuv9RHabtWq6j/AApH1gzjRj0/q/vvzJ3pDP6dE0 raBaN001S4tSJihVkShe/E2MnOATZ873IOo1Cek+UKtDJEpo+8m1Z5ZdLkm1OOQ8QHDJfCzALxbze HnixmPCiQc89pYLJ/yRU3Wl4Rzws0iQ==; Received: by omgo.iij.ad.jp (mo30) id s8GG9adq008837; Wed, 17 Sep 2014 01:09:36 +0900 X-MXL-Hash: 541860c011f74667-c3dfb676544a2b0b25123092a40f768a1d46b86c Date: Wed, 17 Sep 2014 01:09:29 +0900 (JST) Message-Id: <20140917.010929.1161101766373361820.nagao@iij.ad.jp> To: d@delphij.net, delphij@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp From: Tadaaki Nagao In-Reply-To: <5418427B.9080909@delphij.net> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <5418427B.9080909@delphij.net> X-Mailer: Mew version 6.6 on Emacs 24.4.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, steven@pyro.eu.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 16:14:55 -0000 Hi, In "Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp", Xin Li wrote: > > On 16/09/14 11:14, FreeBSD Security Advisories wrote: > >> An attacker who has the ability to spoof IP traffic can tear down > >> a TCP connection by sending only 2 packets, if they know both TCP > >> port numbers. > > > > This may be a silly question but, if the attacker can spoof IP > > traffic, can't the same be done with a single RST packet? > > By default RST has to be within the window if the connection is in > ESTABLISHED state. So in order to do that the attacker still need to > guess or know the sequence number. No, in the case of RST packets, the check in tcp_input.c is much narrower than the receiving window size. Actually, it was the discussion in 2004 that the usual window size had become large enough (64k or more?) for an attacker to easily guess the sequence number by sending a feasible number of packets (2^32 / window_size (<= 2^16)). And this is also the case for SYN packets. I suspect that, even with the patch in FreeBSD-SA-14:19.tcp applied, an attacker can still reset a connection by sending the above mentioned number of SYN packets, guessing a in-window sequence number. See RFC5961, which discusses attack scenarios including these and changes to the TCP specification. -- Tadaaki Nagao Internet Initiative Japan Inc.