From: "Wolfpaw - Dale Corse" <admin@wolfpaw.net>
To: <alan@lxorguk.ukuu.org.uk>
Cc: <kaukasoi@elektroni.ee.tut.fi>, <linux-kernel@vger.kernel.org>
Subject: RE: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified)Denial of Service Attack
Date: Sun, 12 Sep 2004 12:52:29 -0600 [thread overview]
Message-ID: <002701c498f9$a7203140$0200a8c0@wolf> (raw)
In-Reply-To: <02b001c498f6$7942bc50$0300a8c0@s>
Hi Alan,
> On Sul, 2004-09-12 at 18:29, Wolfpaw - Dale Corse wrote:
> > A fair comment :) But look at it this way:
> >
> > - The TCP RFC was last updated when?
>
> About 2 months ago. The 793 RFC isn't updated instead new
> ones are added for the additional features/discoveries.
My fault there :( Sorry.
> > - What is the average time for a tcp packet to fly even across
> > the world these days? Maybe 300 ms? 1 second? 5?
> > - It is not a secret that the TCP protocol has flaws, take for
> > example the RST bug, which required among other things, BGP4
> > to use MD5 encryption to avoid being potentially attacked.
>
> This is not a TCP flaw, its a combination of poor design by
> certain vendors, poor BGP implementation and a lack of
> understanding of what TCP does and does not do. See IPSec.
> TCP gets stuff from A to B in order and knowing to a
> resonable degree what arrived. TCP does not proide a security service.
>
> (The core of this problem arises because certain people treat
> TCP connection down on the peering session as link down)
Good point :)
> > So this brings me to:
> >
> > A) Why are the timeouts so long?
>
> So you don't get random corruption
Hmm. I'll take your word for it, I'm not quite grasping it,
but you know quite a bit more about it then I do :) I would
have thought once a close is sent, the data has all been received
and/or sent anyway, so what would corrupt?
> > C) Socket still re-uses an FD before it is actually completely
>
> Pardon ?
It _appears_ that when we close a socket (ie with mysql_close) on
the client side, the client side closes the FD properly (though Mysql
doesn't), and then if we call connect (which it does a lot, being a proxy
server) it will reuse that FD. At this point, the Mysql side still hasn't
closed it, and it is sitting in CLOSE_WAIT, where it remains forever, since
it is in use by the client side elsewhere already. Should connect be
checking the "list of not connected, but state other then CLOSED" list
before it decides to use a particular FD? Or is this behavior intentional?
> > sending something to the other side is required, but I can't see why
> > having the other side send something back is part of the protocol.
> > This could be
>
> Because packet sizes are finite and not doing so requires an
> infinite sequence space and thus infinite packet sizes.
> Reread the TCP specifications more carefully, also look at
> RFC1337 which discusses some of the real world cases of
> getting this wrong.
Fair enough, thank you for clarifying it for me :)
Keep up the good work :) (which you do a lot of I might add :)
D.
next parent reply other threads:[~2004-09-12 18:52 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <02b001c498f6$7942bc50$0300a8c0@s>
2004-09-12 18:52 ` Wolfpaw - Dale Corse [this message]
2004-09-12 18:06 ` Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified)Denial of Service Attack Alan Cox
[not found] <02bf01c498ff$b6512470$0300a8c0@s>
2004-09-12 19:42 ` Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial " Wolfpaw - Dale Corse
2004-09-12 19:53 ` Willy Tarreau
[not found] <02b201c498f6$8bb92540$0300a8c0@s>
2004-09-12 18:40 ` Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified)Denial " Wolfpaw - Dale Corse
2004-09-12 18:01 ` Alan Cox
2004-09-12 19:48 ` Willy Tarreau
2004-09-13 6:59 ` Jurjen Oskam
[not found] <02a401c498e9$9167aff0$0300a8c0@s>
2004-09-12 17:29 ` Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial " Wolfpaw - Dale Corse
2004-09-12 17:04 ` Alan Cox
2004-09-12 19:23 ` Toon van der Pas
2004-09-13 3:18 ` Paul Jakma
2004-09-13 3:30 ` Paul Jakma
2004-09-13 4:18 ` Willy Tarreau
2004-09-13 4:25 ` Paul Jakma
2004-09-13 19:07 ` Tonnerre
2004-09-13 19:18 ` Willy Tarreau
2004-09-13 19:25 ` Paul Jakma
2004-09-13 20:11 ` Ville Hallivuori
2004-09-14 14:55 ` Paul Jakma
2004-09-14 15:10 ` Alan Cox
2004-09-14 16:26 ` Paul Jakma
2004-09-14 16:09 ` Alan Cox
2004-09-14 17:17 ` Paul Jakma
2004-09-20 22:02 ` Florian Weimer
2004-09-21 2:14 ` Herbert Xu
2004-09-21 18:32 ` Florian Weimer
2004-09-21 19:56 ` David S. Miller
2004-09-21 20:04 ` Florian Weimer
2004-09-21 20:25 ` David S. Miller
2004-09-21 20:51 ` Florian Weimer
2004-09-14 19:41 ` Willy Tarreau
2004-09-14 18:56 ` Alan Cox
2004-09-20 22:03 ` Florian Weimer
2004-09-20 23:12 ` Alan Cox
[not found] <029201c498d8$dff156f0$0300a8c0@s>
2004-09-12 15:45 ` Wolfpaw - Dale Corse
2004-09-12 16:47 ` Petri Kaukasoina
2004-09-12 17:59 ` Willy Tarreau
2004-09-12 17:17 ` Alan Cox
2004-09-12 18:18 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002701c498f9$a7203140$0200a8c0@wolf' \
--to=admin@wolfpaw.net \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=kaukasoi@elektroni.ee.tut.fi \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox