From: Pablo Neira <pablo@eurodev.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: [RFC] Die to NOTRACK/TRACE, long live MARK!
Date: Thu, 20 May 2004 12:48:39 +0200 [thread overview]
Message-ID: <40AC8D07.3090308@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.33.0405192236590.3749-100000@blackhole.kfki.hu>
Hi Jozsef,
Jozsef Kadlecsik wrote:
>Willy Tarreau suggested that the TCP window tracking code could be used to
>protect connections against the "TCP vulnerabilities" brought up recently
>(see for example http://www.uniras.gov.uk/vuls/2004/236929). After some
>discussion and code-fragments the result is that it could be done fairly
>easily: the SYN/RST probes could be counted and when a threshold is
>reached, we'd deliberately drop in-window SYN/RST segments to protect the
>connection. However, it'd then mean a violation of the TCP protocol
>specification and therefore I'd definitely not like to enable it by
>default or to enable it for all traffic. So there should be a way to tell
>the system which connections (packets) to protect.
>
>
I agree, these options shouldn't be enable by default, as I told you in
my last email related to window-tracking stuff that we could set the
default action (NF_*) applied to packet via sysctl, so a sysadmin could
choose to perform an agressive window /secuence tracking, this way if we
see out-of-window packets, we could log and drop them.
>We could introduce a new silly target for that purpose like NOTRACK or
>TRACE. However it's pure marking and we do have a interface to mark
>packets: the MARK target. So if we could tell the system which mark value
>has got the given special meaning, we wouldn't need a new target and we
>could even eliminate the NOTRACK/TRACE targets.
>
>
yes, I think that's ok, we could implement a set of "security" matches
which perform some action depending on the mark. For example,
mark_rst_protection could use internal tcp conntrack information to see
if an rst was retransmited too many times and block rst's during a
timeout to reduce effects of an rst attack or whatsoever. So we should
reserve a range of marks.
regards,
Pablo
next prev parent reply other threads:[~2004-05-20 10:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-19 21:30 [RFC] Die to NOTRACK/TRACE, long live MARK! Jozsef Kadlecsik
2004-05-20 10:48 ` Pablo Neira [this message]
2004-05-21 0:20 ` Philip Craig
2004-05-21 2:12 ` Patrick McHardy
2004-05-22 12:38 ` Jozsef Kadlecsik
2004-05-22 14:57 ` Patrick McHardy
2004-05-23 8:55 ` Martin Josefsson
2004-05-23 17:00 ` Patrick McHardy
2004-05-25 12:38 ` Pablo Neira
2004-05-25 17:45 ` Patrick McHardy
2004-05-27 10:33 ` Henrik Nordstrom
2004-05-28 11:41 ` Pablo Neira
2004-05-21 12:35 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40AC8D07.3090308@eurodev.net \
--to=pablo@eurodev.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.