From: Willy Tarreau <w@w.ods.org>
To: James Morris <jmorris@redhat.com>
Cc: linux-kernel@vger.kernel.org, netdev@oss.sgi.com
Subject: Re: tcp vulnerability? haven't seen anything on it here...
Date: Thu, 22 Apr 2004 07:04:12 +0200 [thread overview]
Message-ID: <20040422050411.GM596@alpha.home.local> (raw)
In-Reply-To: <Xine.LNX.4.44.0404212042540.20483-100000@thoron.boston.redhat.com>
On Wed, Apr 21, 2004 at 08:45:42PM -0400, James Morris wrote:
> On Wed, 21 Apr 2004, David S. Miller wrote:
>
> > On Wed, 21 Apr 2004 19:03:40 +0200
> > Jörn Engel <joern@wohnheim.fh-wedel.de> wrote:
> >
> > > Heise.de made it appear, as if the only news was that with tcp
> > > windows, the propability of guessing the right sequence number is not
> > > 1:2^32 but something smaller. They said that 64k packets would be
> > > enough, so guess what the window will be.
> >
> > Yes, that is their major discovery. You need to guess the ports
> > and source/destination addresses as well, which is why I don't
> > consider this such a serious issue personally.
> >
> > It is mitigated if timestamps are enabled, because that becomes
> > another number you have to guess.
> >
> > It is mitigated also by randomized ephemeral port selection, which
> > OpenBSD implements and we could easily implement as well.
>
> What about the techniques mentioned in
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt ?
They might break the net rather than fix it, they don't seem to consider
every aspect. Imagine installed stateful firewalls, NAT boxes, load balancers,
etc... All those boxes which won't speak RFCXXXX will block the return ACK
once they see the forward RST, and the server behind the firewall will keep
ESTABLISHED sessions for hours, days, ... or up to the session time-out
dictated by the application. RSTs are very common on the internet from dialup
networks because there are lots of people without any clue about networking,
who hang up their modem while they fill a form on a site or read a long page,
ignoring that their MSIE does HTTP keep-alive and has not yet closed the
session. Some also experiment hard lockups or BSODs during FTP transfers, ...
And when they release the line, someone else on the same ISP connects and
gets the same address. And what does he do with all the ACKs the server sends
him ? RST !
It seems that this RST is covered by their draft, but instead of enumerating
every possibility to get an RST and check how they can cover it, they focus
on changing the RFC, regardless of already deployed implementations. Well,
I'm already waiting for the fight between RFCxxxx compliant OSes vs RFCyyyy
with yyyy > xxxx. It will be a bit like rfc1337: an entry in /proc for us,
a sysctl for BSD users, ndd for solaris and a registry key for many others.
At least their draft needs to be validated in every condition, and consequences
must be evaluated, with perhaps work-arounds (eg: fall back to old behaviour
after a certain number of particular RSTs, ...).
> Curiously there is no mention of port guessing or timestamps there.
They don't even explain why RSTs are generated and why we need them.
Regards,
Willy
next prev parent reply other threads:[~2004-04-22 5:04 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-21 15:25 tcp vulnerability? haven't seen anything on it here Chris Friesen
2004-04-21 16:02 ` Richard B. Johnson
2004-04-21 16:25 ` Chris Friesen
2004-04-21 17:03 ` Jörn Engel
2004-04-21 20:20 ` David S. Miller
2004-04-22 0:45 ` James Morris
2004-04-22 5:04 ` Willy Tarreau [this message]
2004-04-22 8:23 ` Giuliano Pochini
2004-04-22 11:35 ` Richard B. Johnson
2004-04-22 13:17 ` Willy Tarreau
2004-04-22 13:42 ` Richard B. Johnson
2004-04-22 14:18 ` Willy Tarreau
2004-04-22 20:25 ` Richard B. Johnson
2004-04-22 21:08 ` Willy Tarreau
2004-04-22 18:28 ` David S. Miller
2004-04-22 13:22 ` jamal
2004-04-22 13:46 ` Giuliano Pochini
2004-04-22 14:27 ` jamal
2004-04-22 14:37 ` alex
2004-04-22 15:17 ` jamal
2004-04-22 15:27 ` alex
2004-04-22 17:38 ` Horst von Brand
2004-04-22 21:15 ` Florian Weimer
2004-04-22 15:42 ` Chris Friesen
2004-04-22 15:47 ` alex
2004-04-23 10:31 ` Florian Weimer
2004-04-22 13:58 ` Florian Weimer
2004-04-23 13:55 ` Florian Weimer
2004-04-23 14:15 ` alex
2004-04-23 14:25 ` jamal
2004-04-22 20:01 ` Ranjeet Shetye
2004-04-22 21:26 ` Sridhar Samudrala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040422050411.GM596@alpha.home.local \
--to=w@w.ods.org \
--cc=jmorris@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).