From: Jiri Bohac <jbohac@suse.cz>
To: Jakob Lell <jakob@jakoblell.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: Quick Blind TCP Connection Spoofing with SYN Cookies
Date: Fri, 16 Aug 2013 01:57:43 +0200 [thread overview]
Message-ID: <20130815235743.GA25665@midget.suse.cz> (raw)
In-Reply-To: <520A3B4A.1050704@jakoblell.com>
On Tue, Aug 13, 2013 at 03:57:30PM +0200, Jakob Lell wrote:
> VIII. Possible mitigation options
>
> The simplification of TCP Connection Spoofing described here is an
> inherent problem of TCP SYN Cookies and so there won't be a simple
> patch which just solves the issue and makes the Spoofing Attack as
> hard as it is without SYN Cookies. It is only possible to gradually
> increase the required effort for successfully spoofing a connection
> e.g. by only accepting the last two instead of four counter values
> (which will lead to a 60-120s
If the counter is slowed down 4 times, accepting only two
values should result in similar behaviour as we have today.
Can anyone think of a reason this should not be done?
Additionally, I believe we should reduce the number of possible MSS
values. I think 3 values should be enough - not supporting jumbo
frames and wasting a few bytes on sub-optimal MSS around 1400
bytes should be acceptable when a system is under a DoS attack.
I have 3 patches doing just that:
1 - slow down the timer and improve the situation by a factor of 2
2 - since not everyone will be happy with exactly 3 MSS values,
let's make this configurable via sysctl
3 - decrease the default number of MSS values to 3 and improve
the situation by a factor of 8/3
These patches combined make the attack 5.3 times harder. By
using the sysctl to only set two possible MSSs, one can make
the attack 8 times harder - and only 4 times easier than
previously believed.
The patches are compile-tested only.
Thoughts?
--
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ
next prev parent reply other threads:[~2013-08-15 23:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-13 13:57 Quick Blind TCP Connection Spoofing with SYN Cookies Jakob Lell
2013-08-14 21:02 ` some one
2013-08-15 23:57 ` Jiri Bohac [this message]
2013-08-16 0:00 ` [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate spoofing attacks Jiri Bohac
2013-08-16 0:34 ` Neal Cardwell
2013-08-16 8:20 ` [PATCH v2 " Jiri Bohac
2013-08-16 21:47 ` [PATCH " Florian Westphal
2013-08-16 0:03 ` [PATCH 2/3] [RFC] TCP syncookies: introduce sysctl to configure the MSS tables Jiri Bohac
2013-08-16 21:40 ` Florian Westphal
2013-08-27 12:55 ` Jiri Bohac
2013-08-16 0:05 ` [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks Jiri Bohac
2013-08-16 21:31 ` Florian Westphal
2013-08-27 13:52 ` Jiri Bohac
2013-08-16 9:21 ` Quick Blind TCP Connection Spoofing with SYN Cookies Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130815235743.GA25665@midget.suse.cz \
--to=jbohac@suse.cz \
--cc=davem@davemloft.net \
--cc=jakob@jakoblell.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.