From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Eric Dumazet <edumazet@google.com>,
Kiran Kumar Kella <kkiran@broadcom.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 40/49] tcp: implement RFC 5961 3.2
Date: Sun, 13 Jan 2013 17:43:35 +0000 [thread overview]
Message-ID: <20130113174304.168405660@decadent.org.uk> (raw)
In-Reply-To: <20130113174255.736888844@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 282f23c6ee343126156dd41218b22ece96d747e3 ]
Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.
Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.
Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.
Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/networking/ip-sysctl.txt | 5 +++++
include/linux/snmp.h | 1 +
include/net/tcp.h | 1 +
net/ipv4/proc.c | 1 +
net/ipv4/sysctl_net_ipv4.c | 7 +++++++
net/ipv4/tcp_input.c | 31 ++++++++++++++++++++++++++++++-
6 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index a4399f5..3b979c6 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -524,6 +524,11 @@ tcp_thin_dupack - BOOLEAN
Documentation/networking/tcp-thin.txt
Default: 0
+tcp_challenge_ack_limit - INTEGER
+ Limits number of Challenge ACK sent per second, as recommended
+ in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
+ Default: 100
+
UDP variables:
udp_mem - vector of 3 INTEGERs: min, pressure, max
diff --git a/include/linux/snmp.h b/include/linux/snmp.h
index e16557a..6e310bb 100644
--- a/include/linux/snmp.h
+++ b/include/linux/snmp.h
@@ -233,6 +233,7 @@ enum
LINUX_MIB_TCPTIMEWAITOVERFLOW, /* TCPTimeWaitOverflow */
LINUX_MIB_TCPREQQFULLDOCOOKIES, /* TCPReqQFullDoCookies */
LINUX_MIB_TCPREQQFULLDROP, /* TCPReqQFullDrop */
+ LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */
__LINUX_MIB_MAX
};
diff --git a/include/net/tcp.h b/include/net/tcp.h
index bb18c4d..0768715 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -251,6 +251,7 @@ extern int sysctl_tcp_max_ssthresh;
extern int sysctl_tcp_cookie_size;
extern int sysctl_tcp_thin_linear_timeouts;
extern int sysctl_tcp_thin_dupack;
+extern int sysctl_tcp_challenge_ack_limit;
extern atomic_long_t tcp_memory_allocated;
extern struct percpu_counter tcp_sockets_allocated;
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 466ea8b..f46c478 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -257,6 +257,7 @@ static const struct snmp_mib snmp4_net_list[] = {
SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES),
SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP),
+ SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
SNMP_MIB_SENTINEL
};
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 69fd720..5485077 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -552,6 +552,13 @@ static struct ctl_table ipv4_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec
},
+ {
+ .procname = "tcp_challenge_ack_limit",
+ .data = &sysctl_tcp_challenge_ack_limit,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec
+ },
#ifdef CONFIG_NET_DMA
{
.procname = "tcp_dma_copybreak",
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a08a621..a0d3b88 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -86,6 +86,9 @@ int sysctl_tcp_app_win __read_mostly = 31;
int sysctl_tcp_adv_win_scale __read_mostly = 1;
EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+/* rfc5961 challenge ack rate limiting */
+int sysctl_tcp_challenge_ack_limit = 100;
+
int sysctl_tcp_stdurg __read_mostly;
int sysctl_tcp_rfc1337 __read_mostly;
int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
@@ -5240,6 +5243,23 @@ out:
}
#endif /* CONFIG_NET_DMA */
+static void tcp_send_challenge_ack(struct sock *sk)
+{
+ /* unprotected vars, we dont care of overwrites */
+ static u32 challenge_timestamp;
+ static unsigned int challenge_count;
+ u32 now = jiffies / HZ;
+
+ if (now != challenge_timestamp) {
+ challenge_timestamp = now;
+ challenge_count = 0;
+ }
+ if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ tcp_send_ack(sk);
+ }
+}
+
/* Does PAWS and seqno based validation of an incoming segment, flags will
* play significant role here.
*/
@@ -5276,7 +5296,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
/* Step 2: check RST bit */
if (th->rst) {
- tcp_reset(sk);
+ /* RFC 5961 3.2 :
+ * If sequence number exactly matches RCV.NXT, then
+ * RESET the connection
+ * else
+ * Send a challenge ACK
+ */
+ if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt)
+ tcp_reset(sk);
+ else
+ tcp_send_challenge_ack(sk);
goto discard;
}
next prev parent reply other threads:[~2013-01-13 17:45 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-13 17:42 [ 00/49] 3.2.37-stable review Ben Hutchings
2013-01-13 17:42 ` [ 01/49] ext4: fix extent tree corruption caused by hole punch Ben Hutchings
2013-01-13 17:42 ` [ 02/49] i915: ensure that VGA plane is disabled Ben Hutchings
2013-01-13 17:42 ` [ 03/49] ext4: check dioread_nolock on remount Ben Hutchings
2013-01-13 17:42 ` [ 04/49] jbd2: fix assertion failure in jbd2_journal_flush() Ben Hutchings
2013-01-13 17:43 ` [ 05/49] hwmon: (lm73} Detect and report i2c bus errors Ben Hutchings
2013-01-13 17:43 ` [ 06/49] ext4: do not try to write superblock on ro remount w/o journal Ben Hutchings
2013-01-13 17:43 ` [ 07/49] PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz Ben Hutchings
2013-01-13 17:43 ` [ 08/49] mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED Ben Hutchings
2013-01-13 17:43 ` [ 09/49] cifs: adjust sequence number downward after signing NT_CANCEL request Ben Hutchings
2013-01-13 17:43 ` [ 10/49] tmpfs mempolicy: fix /proc/mounts corrupting memory Ben Hutchings
2013-01-13 17:43 ` [ 11/49] p54usb: add USB ID for T-Com Sinus 154 data II Ben Hutchings
2013-01-13 17:43 ` [ 12/49] ath9k_hw: Fix RX gain initvals for AR9485 Ben Hutchings
2013-01-13 17:43 ` [ 13/49] p54usb: add USBIDs for two more p54usb devices Ben Hutchings
2013-01-13 17:43 ` [ 14/49] powerpc/vdso: Remove redundant locking in update_vsyscall_tz() Ben Hutchings
2013-01-13 17:43 ` [ 15/49] powerpc: Add missing NULL terminator to avoid boot panic on PPC40x Ben Hutchings
2013-01-13 17:43 ` [ 16/49] drm/radeon: add connector table for SAM440ep embedded board Ben Hutchings
2013-01-13 17:43 ` [ 17/49] drm/radeon: add connector table for Mac G4 Silver Ben Hutchings
2013-01-14 18:48 ` Albrecht Dreß
2013-01-13 17:43 ` [ 18/49] drm/radeon: Properly handle DDC probe for DP bridges Ben Hutchings
2013-01-13 17:43 ` [ 19/49] NFSv4: Add ACCESS operation to OPEN compound Ben Hutchings
2013-01-15 18:42 ` Herton Ronaldo Krzesinski
2013-01-16 1:08 ` Ben Hutchings
2013-01-13 17:43 ` [ 20/49] NFSv4: dont check MAY_WRITE access bit in OPEN Ben Hutchings
2013-01-13 17:43 ` [ 21/49] NFS4: nfs4_opendata_access should return errno Ben Hutchings
2013-01-13 17:43 ` [ 22/49] NFS: Fix access to suid/sgid executables Ben Hutchings
2013-01-13 17:43 ` [ 23/49] drm/nouveau: fix init with agpgart-uninorth Ben Hutchings
2013-01-13 17:43 ` [ 24/49] video: mxsfb: fix crash when unblanking the display Ben Hutchings
2013-01-13 17:43 ` [ 25/49] nfs: fix null checking in nfs_get_option_str() Ben Hutchings
2013-01-13 17:43 ` [ 26/49] SUNRPC: Ensure that we free the rpc_task after cleanups are done Ben Hutchings
2013-01-13 17:43 ` [ 27/49] ACPI / scan: Do not use dummy HID for system bus ACPI nodes Ben Hutchings
2013-01-13 17:43 ` [ 28/49] mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT Ben Hutchings
2013-01-13 17:43 ` [ 29/49] drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield Ben Hutchings
2013-01-13 17:43 ` [ 30/49] drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time Ben Hutchings
2013-01-13 17:43 ` [ 31/49] udf: dont increment lenExtents while writing to a hole Ben Hutchings
2013-01-13 17:43 ` [ 32/49] epoll: prevent missed events on EPOLL_CTL_MOD Ben Hutchings
2013-01-13 17:43 ` [ 33/49] rt2x00: Dont let mac80211 send a BAR when an AMPDU subframe fails Ben Hutchings
2013-01-13 17:43 ` [ 34/49] mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL Ben Hutchings
2013-01-13 17:43 ` [ 35/49] Revert: "rt2x00: Dont let mac80211 send a BAR when an AMPDU subframe fails" Ben Hutchings
2013-01-13 17:43 ` [ 36/49] ftrace: Do not function trace inlined functions Ben Hutchings
2013-01-13 17:43 ` [ 37/49] sparc: huge_ptep_set_* functions need to call set_huge_pte_at() Ben Hutchings
2013-01-13 17:43 ` [ 38/49] inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock Ben Hutchings
2013-01-13 17:43 ` [ 39/49] net: sched: integer overflow fix Ben Hutchings
2013-01-13 17:43 ` Ben Hutchings [this message]
2013-01-13 17:43 ` [ 41/49] tcp: implement RFC 5961 4.2 Ben Hutchings
2013-01-13 17:43 ` [ 42/49] tcp: refine SYN handling in tcp_validate_incoming Ben Hutchings
2013-01-13 17:43 ` [ 43/49] tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() Ben Hutchings
2013-01-13 17:43 ` [ 44/49] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation Ben Hutchings
2013-01-13 17:43 ` [ 45/49] [SCSI] mvsas: Fix oops when ata commond timeout Ben Hutchings
2013-01-13 17:43 ` [ 46/49] RDMA/nes: Fix for crash when registering zero length MR for CQ Ben Hutchings
2013-01-13 17:43 ` [ 47/49] RDMA/nes: Fix for terminate timer crash Ben Hutchings
2013-01-13 17:43 ` [ 48/49] ACPI : do not use Lid and Sleep button for S5 wakeup Ben Hutchings
2013-01-13 17:43 ` [ 49/49] aoe: do not call bdi_init after blk_alloc_queue Ben Hutchings
2013-01-13 22:44 ` [ 00/49] 3.2.37-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130113174304.168405660@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kkiran@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox