From: Patrick McHardy <kaber@trash.net>
To: Ariel Rosenblatt <ariel@blueslice.com>
Cc: 'Harald Welte' <laforge@netfilter.org>,
netfilter-devel@lists.netfilter.org,
'Kiran Kumar Immidi' <immidi@spymac.com>
Subject: Re: ip_conntrack_proto_sctp INIT_ACK messages dropped
Date: Tue, 22 Feb 2005 15:05:54 +0100 [thread overview]
Message-ID: <421B3C42.2060106@trash.net> (raw)
In-Reply-To: <000e01c51843$d0a2e8e0$320aa8c0@blueslicemtl>
[-- Attachment #1: Type: text/plain, Size: 3149 bytes --]
Ariel Rosenblatt wrote:
> You are right about the conntrack being susceptible to fraudulent INIT
> messages. This holds true for INIT-ACKs as well as the first INIT send.
>
> Saving the verification tags harms more than it helps, because it makes the
> connection tracking vulnerable to dos attacks. While the goal is dumping
> invalid traffic, it could instead wind up discarding valid traffic.
>
> I thought about these issues and I don't see a way of using verification
> tags without making the connection tracking susceptible to this problems.
> Saving tie-tags for existing associations until the COOKIE-ECHO/ACK is
> processed could alleviate the problem. However, it will still take one
> fraudulent message to launch an attack and cause the module to
discard valid
> traffic or prevent the association from being established by overwriting the
> valid tie-tag.
How can it be attacked with a single message ? I'm thinking of something
like this (based on RFC 2960 5.2.4.1):
Endpoint A Endpoint Z
<-------------- Association is established---------------------->
Tag=Tag_A Tag=Tag_Z
<--------------------------------------------------------------->
{A crashes and restarts}
{app sets up a association with Z}
(build TCB)
INIT [I-Tag=Tag_A'
& other info] --------\ <- conntrack lets this packet pass
(Start T1-init timer) \
(Enter COOKIE-WAIT state) \---> (find a existing TCB
compose temp TCB and Cookie_Z
with Tie-Tags to previous
association)
/--- INIT ACK [Veri Tag=Tag_A',
/ I-Tag=Tag_Z',
(Cancel T1-init timer) <------/ Cookie_Z[TieTags=
Tag_A,Tag_Z
& other info]
(destroy temp TCB,leave original
in place)
Conntrack notes the Tie-Tags if they match the used tags and
lets this message pass.
COOKIE ECHO [Veri=Tag_Z',
Cookie_Z
Tie=Tag_A,
Tag_Z]----------\
(Start T1-init timer) \
(Enter COOKIE-ECHOED state) \---> (Find existing association,
Tie-Tags match old tags,
Tags do not match i.e.
case X X M M above,
Announce Restart to ULP
and reset association).
Conntrack verifies the tags match the saved tags and resets the
association.
So without a full exchange no data is changed.
> In the mean time I patched the module with the code below (please see a more
> robust patch at the end of the message) to solve the saved vtag problem for
> both directions.
Thanks. I applied this slightly different version (no new variable) and
I'm going to submit it later today.
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1056 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/02/22 14:52:03+01:00 ariel@blueslice.com
# [NETFILTER]: Fix sctp association restart
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/ipv4/netfilter/ip_conntrack_proto_sctp.c
# 2005/02/22 14:51:54+01:00 ariel@blueslice.com +2 -2
# [NETFILTER]: Fix sctp association restart
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2005-02-22 14:54:35 +01:00
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2005-02-22 14:54:35 +01:00
@@ -400,8 +400,8 @@
return -1;
}
DEBUGP("Setting vtag %x for dir %d\n",
- ih->init_tag, CTINFO2DIR(ctinfo));
- conntrack->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = ih->init_tag;
+ ih->init_tag, !CTINFO2DIR(ctinfo));
+ conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
}
conntrack->proto.sctp.state = newconntrack;
next prev parent reply other threads:[~2005-02-22 14:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-08 12:37 ip_conntrack_proto_sctp INIT_ACK messages dropped Ariel Rosenblatt
2005-02-14 23:20 ` ip_conntrack_proto_sctp INIT_ACK messages droppedg Harald Welte
2005-02-15 16:08 ` Patrick McHardy
2005-02-15 16:45 ` ip_conntrack_proto_sctp INIT_ACK messages dropped Ariel Rosenblatt
2005-02-18 0:50 ` Patrick McHardy
2005-02-21 18:33 ` Ariel Rosenblatt
2005-02-22 14:05 ` Patrick McHardy [this message]
2005-02-22 16:34 ` Ariel Rosenblatt
2005-02-22 18:44 ` Patrick McHardy
2005-02-22 18:58 ` Ariel Rosenblatt
2005-02-23 15:53 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2005-02-07 19:37 Ariel Rosenblatt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=421B3C42.2060106@trash.net \
--to=kaber@trash.net \
--cc=ariel@blueslice.com \
--cc=immidi@spymac.com \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.