Re: Quick Blind TCP Connection Spoofing with SYN Cookies

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Jiri Bohac <jbohac@suse.cz>
Cc: Jakob Lell <jakob@jakoblell.com>,
	netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: Quick Blind TCP Connection Spoofing with SYN Cookies
Date: Fri, 16 Aug 2013 11:21:47 +0200	[thread overview]
Message-ID: <20130816092147.GA5154@breakpoint.cc> (raw)
In-Reply-To: <20130815235743.GA25665@midget.suse.cz>

Jiri Bohac <jbohac@suse.cz> wrote:
> > The simplification of TCP Connection Spoofing described here is an
> > inherent problem of TCP SYN Cookies and so there won't be a simple
> > patch which just solves the issue and makes the Spoofing Attack as
> > hard as it is without SYN Cookies. It is only possible to gradually
> > increase the required effort for successfully spoofing a connection
> > e.g. by only accepting the last two instead of four counter values
> > (which will lead to a 60-120s 
> 
> If the counter is slowed down 4 times, accepting only two
> values should result in similar behaviour as we have today.
> 
> Can anyone think of a reason this should not be done?

I was also working on patches that mitigate this (not ready yet),
lets compare notes.

There are two problems.

1) current scheme is dangerous with HZ=1000 on 32
   bit platforms due to jiffies overflow, it needs to be fixed.

Else, cookies can be re-used exactly after 49 day period.

I did straighforward replacement first to not change current timer:

Use getnstimeofday(), take "second" value, shift result by 6 (64-second
granular timer).

If you have time to work on it, I would appreciate if you could take
care of this.

> Additionally, I believe we should reduce the number of possible MSS
> values. I think 3 values should be enough - not supporting jumbo
> frames and wasting a few bytes on sub-optimal MSS around 1400
> bytes should be acceptable when a system is under a DoS attack.

Agreed.  I had a (untested patch) that just kicks out the unlikely
values.  I used 536, 1200, 1440, 1460 for ipv4, and 536, 1220, 1460,
8940 for ipv6.  I think this would be sufficient to keep decent
connectivity for legitimate clients.

We could add an alternate fallback table with more exotic values
and use a bit in the tcp timestamp to indicate use of fallback table
however since that only workswhen ts are used I would not do this unless
there is evidence that this is useful.

As for the cookie lifetime: I agree it should be reduced, allowing
delta for more than one minute seems way too long given that we never
retransmit lost syn/ack.

A conservative change would be to reject delta <= 2, with 64 second
timer.

Cheers,
Florian

     prev parent reply	other threads:[~2013-08-16  9:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-13 13:57 Quick Blind TCP Connection Spoofing with SYN Cookies Jakob Lell
2013-08-14 21:02 ` some one
2013-08-15 23:57 ` Jiri Bohac
2013-08-16  0:00   ` [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate spoofing attacks Jiri Bohac
2013-08-16  0:34     ` Neal Cardwell
2013-08-16  8:20       ` [PATCH v2 " Jiri Bohac
2013-08-16 21:47     ` [PATCH " Florian Westphal
2013-08-16  0:03   ` [PATCH 2/3] [RFC] TCP syncookies: introduce sysctl to configure the MSS tables Jiri Bohac
2013-08-16 21:40     ` Florian Westphal
2013-08-27 12:55       ` Jiri Bohac
2013-08-16  0:05   ` [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks Jiri Bohac
2013-08-16 21:31     ` Florian Westphal
2013-08-27 13:52       ` Jiri Bohac
2013-08-16  9:21   ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130816092147.GA5154@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=davem@davemloft.net \
    --cc=jakob@jakoblell.com \
    --cc=jbohac@suse.cz \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.