Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <willy@w.ods.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: davem@davemloft.net, xschmi00@stud.feec.vutbr.cz,
	alastair@unixtrix.com, linux-kernel@vger.kernel.org,
	netdev@oss.sgi.com
Subject: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Date: Mon, 13 Jun 2005 07:21:48 +0200	[thread overview]
Message-ID: <20050613052148.GF8907@alpha.home.local> (raw)
In-Reply-To: <20050613044810.GA32103@gondor.apana.org.au>

On Mon, Jun 13, 2005 at 02:48:10PM +1000, Herbert Xu wrote:
> On Sun, Jun 12, 2005 at 04:24:01PM +0200, Willy Tarreau wrote:
> >
> > 1) no firewall in front of A
> >   - C spoofs A and sends a fake SYN to B
> >   - B responds to A with a SYN-ACK
> >   - A sends an RST to B, which clears the session
> >   - A wants to connect and sends its SYN to B which accepts it.
> 
> Well the attacker simply has to keep sending the same SYN packet
> over and over again until A runs out of SYN retries.
> 
> What I really don't like about your patch is the fact that it is
> trying to impose a policy decision (that of forbidding all
> simultaneous connection initiations) inside the TCP stack.

It's the same for ECN or SYN cookies.

> A much better place to do that is netfilter.  If you do it there
> then not only will your protect all Linux machines from this attack,
> but you'll also protect all the other BSD-derived TCP stacks.

Netfilter already blocks simultaneous connection. A SYN in return to
a SYN produces an INVALID state.

Cheers,
Willy

next prev parent reply	other threads:[~2005-06-13  5:22 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-09 20:51 BUG: Unusual TCP Connect() results Alastair Poole
2005-06-10  2:23 ` [OT] " Kyle Moffett
2005-06-10 13:24   ` Alastair Poole
2005-06-10 15:28 ` Michal Schmidt
2005-06-10 16:55   ` Alastair Poole
2005-06-10 16:06     ` Michal Schmidt
2005-06-10 22:26       ` Willy TARREAU
2005-06-10 22:38         ` Willy Tarreau
2005-06-10 22:42         ` David S. Miller
2005-06-11  6:24           ` Willy TARREAU
     [not found]             ` <20050611074350.GD28759@alpha.home.local>
2005-06-11 19:32               ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Herbert Xu
2005-06-11 19:51                 ` Willy Tarreau
2005-06-12  8:13                   ` Herbert Xu
2005-06-12  8:34                     ` Willy Tarreau
2005-06-12 10:30                       ` Herbert Xu
2005-06-12 11:40                         ` Willy Tarreau
2005-06-12 12:06                           ` Herbert Xu
2005-06-12 12:22                             ` Thomas Graf
2005-06-12 13:16                               ` Herbert Xu
2005-06-12 12:32                             ` Willy Tarreau
2005-06-12 13:13                               ` Herbert Xu
2005-06-12 13:33                                 ` Herbert Xu
2005-06-12 13:47                                   ` Willy Tarreau
2005-06-12 13:50                                     ` Herbert Xu
2005-06-12 14:24                                       ` Willy Tarreau
2005-06-13  4:48                                         ` Herbert Xu
2005-06-13  5:21                                           ` Willy Tarreau [this message]
2005-06-13  5:24                                             ` Herbert Xu
2005-06-13  6:17                                               ` Willy Tarreau
2005-06-13  7:45                                                 ` Herbert Xu
2005-06-13  8:10                                                   ` Willy Tarreau
2005-06-13 20:57                                                     ` [PATCH] fix small DoS on connect() David S. Miller
2005-06-12 13:36                                 ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Willy Tarreau
2005-06-12 14:44                                   ` Thomas Graf
2005-06-12 15:02                                     ` Willy Tarreau
2005-06-12 17:10               ` Denis Vlasenko
2005-06-12 17:36                 ` Willy Tarreau
2005-06-12 17:47                   ` Denis Vlasenko
2005-06-12 18:14                     ` Willy Tarreau
2005-06-13  2:04                       ` Valdis.Kletnieks
2005-06-11 15:34         ` BUG: Unusual TCP Connect() results Alastair Poole
2005-06-11 14:38           ` Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050613052148.GF8907@alpha.home.local \
    --to=willy@w.ods.org \
    --cc=alastair@unixtrix.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@oss.sgi.com \
    --cc=xschmi00@stud.feec.vutbr.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox