From: Willy Tarreau <willy@w.ods.org>
To: "David S. Miller" <davem@davemloft.net>
Cc: xschmi00@stud.feec.vutbr.cz, alastair@unixtrix.com,
linux-kernel@vger.kernel.org, netdev@oss.sgi.com
Subject: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Date: Sat, 11 Jun 2005 09:43:50 +0200 [thread overview]
Message-ID: <20050611074350.GD28759@alpha.home.local> (raw)
In-Reply-To: <20050611062413.GA1324@pcw.home.local>
Hi David,
well, I could easily build a proof of concept demonstrating the security
problem implied by the simultaneous connect support. For this, I have two
machines on the LAN. One (wks, 10.0.3.9, 2.4.29) wants to connect to
www.kernel.org:80 (204.152.191.5). It works as expected :
wks:willy$ printf "HEAD / HTTP/1.0\r\n\r\n" | nc -p 10000 204.152.191.5 80; echo "ret=$?"
HTTP/1.1 200 OK
Date: Sat, 11 Jun 2005 07:08:27 GMT
Server: Apache/2.0.52 (Fedora)
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
ret=0
The other one (pcw) tries to prevent wks from connecting to www.kernel.org,
by sending to it about 10 SYNs per second spoofing kernel.org's port 80 :
pcw# hping2 -i u100000 -k -a 204.152.191.5 -s 80 -I eth0 10.0.3.9 -p 10000 -S -M 12345678
During this, the client cannot connect to www.kernel.org from this port
anymore :
wks$ printf "HEAD / HTTP/1.0\r\n\r\n" | nc -p 10000 204.152.191.5 80; echo "ret=$?"
ret=1
Capture on the victim (wks=victim, pcw=attacker, www=www.kernel.org):
wks 09:06:44.020809 10.0.3.9.10000 > 204.152.191.5.80: S 4010109823:4010109823(0) win 5840 <mss 1460,nop,wscale 0> (DF)
pcw 09:06:44.065589 204.152.191.5.80 > 10.0.3.9.10000: S 12345678:12345678(0) win 512
wks 09:06:44.065621 10.0.3.9.10000 > 204.152.191.5.80: S 4010109823:4010109823(0) ack 12345679 win 5840 <mss 1460,nop,wscale 0> (DF)
pcw 09:06:44.166544 204.152.191.5.80 > 10.0.3.9.10000: S 12345678:12345678(0) win 512
www 09:06:44.217896 204.152.191.5.80 > 10.0.3.9.10000: S 2774672577:2774672577(0) ack 4010109824 win 5840 <mss 1420,nop,wscale 2> (DF)
wks 09:06:44.217939 10.0.3.9.10000 > 204.152.191.5.80: . ack 12345679 win 5840 (DF)
wks 09:06:47.020040 10.0.3.9.10000 > 204.152.191.5.80: S 4010109823:4010109823(0) ack 12345679 win 5840 <mss 1460,nop,wscale 0> (DF)
...
=> cannot establish, because of either my local firewall or www.kernel.org's
blocks wrong ACKs. Without a firewall, wks would have got an RST.
With the attached patch, I can no longer block the communication :
09:31:23.004379 IP (tos 0x0, ttl 64, id 36202, offset 0, flags [DF], length: 60) 10.0.3.1.10000 > 204.152.191.5.80: S [tcp sum ok] 1176290222:1176290222(0) win 13920 <mss 6960,sackOK,timestamp 4294921924 0,nop,wscale 2>
09:31:23.051743 IP (tos 0x0, ttl 64, id 9074, offset 0, flags [none], length: 40) 204.152.191.5.80 > 10.0.3.1.10000: S [tcp sum ok] 12345678:12345678(0) win 512
09:31:23.102683 IP (tos 0x0, ttl 64, id 42364, offset 0, flags [none], length: 40) 204.152.191.5.80 > 10.0.3.1.10000: S [tcp sum ok] 12345678:12345678(0) win 512
09:31:23.203546 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], length: 60) 204.152.191.5.80 > 10.0.3.1.10000: S [tcp sum ok] 3923636405:3923636405(0) ack 1176290223 win 5792 <mss 1420,sackOK,timestamp 2199155996 4294921924,nop,wscale 2>
09:31:23.203625 IP (tos 0x0, ttl 64, id 36204, offset 0, flags [DF], length: 52) 10.0.3.1.10000 > 204.152.191.5.80: . [tcp sum ok] 1176290223:1176290223(0) ack 3923636406 win 3480 <nop,nop,timestamp 4294922124 2199155996>
=> the client ignores fake SYNs and the connection establishes normally.
The proposed patch adds a "tcp_simult_connect "sysctl which is disabled by
default to fix the problem for non-aware people. Those who know they need
the simultaneous connect can enable it manually, but I doubt we can find
many of them.
Does it seem appropriate for mainline ? In this case, I would also backport
it to 2.4 and send it to you for inclusion.
Thanks,
Willy
diff -urN linux-2.6.11.11/include/linux/sysctl.h linux-2.6.11.11-tcp/include/linux/sysctl.h
--- linux-2.6.11.11/include/linux/sysctl.h Mon Mar 28 07:06:45 2005
+++ linux-2.6.11.11-tcp/include/linux/sysctl.h Sat Jun 11 09:00:22 2005
@@ -345,6 +345,7 @@
NET_TCP_MODERATE_RCVBUF=106,
NET_TCP_TSO_WIN_DIVISOR=107,
NET_TCP_BIC_BETA=108,
+ NET_TCP_SIMULT_CONNECT=109,
};
enum {
diff -urN linux-2.6.11.11/include/net/tcp.h linux-2.6.11.11-tcp/include/net/tcp.h
--- linux-2.6.11.11/include/net/tcp.h Mon Mar 28 07:06:45 2005
+++ linux-2.6.11.11-tcp/include/net/tcp.h Sat Jun 11 08:56:16 2005
@@ -608,6 +608,7 @@
extern int sysctl_tcp_bic_beta;
extern int sysctl_tcp_moderate_rcvbuf;
extern int sysctl_tcp_tso_win_divisor;
+extern int sysctl_tcp_simult_connect;
extern atomic_t tcp_memory_allocated;
extern atomic_t tcp_sockets_allocated;
diff -urN linux-2.6.11.11/net/ipv4/sysctl_net_ipv4.c linux-2.6.11.11-tcp/net/ipv4/sysctl_net_ipv4.c
--- linux-2.6.11.11/net/ipv4/sysctl_net_ipv4.c Mon Mar 28 07:06:48 2005
+++ linux-2.6.11.11-tcp/net/ipv4/sysctl_net_ipv4.c Sat Jun 11 08:55:27 2005
@@ -690,6 +690,14 @@
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+ {
+ .ctl_name = NET_TCP_SIMULT_CONNECT,
+ .procname = "tcp_simult_connect",
+ .data = &sysctl_tcp_simult_connect,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
{ .ctl_name = 0 }
};
diff -urN linux-2.6.11.11/net/ipv4/tcp_input.c linux-2.6.11.11-tcp/net/ipv4/tcp_input.c
--- linux-2.6.11.11/net/ipv4/tcp_input.c Fri Jun 10 22:49:43 2005
+++ linux-2.6.11.11-tcp/net/ipv4/tcp_input.c Sat Jun 11 08:58:54 2005
@@ -84,6 +84,7 @@
int sysctl_tcp_stdurg;
int sysctl_tcp_rfc1337;
+int sysctl_tcp_simult_connect;
int sysctl_tcp_max_orphans = NR_FILE;
int sysctl_tcp_frto;
int sysctl_tcp_nometrics_save;
@@ -4620,7 +4621,7 @@
if (tp->rx_opt.ts_recent_stamp && tp->rx_opt.saw_tstamp && tcp_paws_check(&tp->rx_opt, 0))
goto discard_and_undo;
- if (th->syn) {
+ if (th->syn && sysctl_tcp_simult_connect) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
* Particularly, it can be connect to self.
next parent reply other threads:[~2005-06-11 7:43 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <42A9C607.4030209@unixtrix.com>
[not found] ` <42A9BA87.4010600@stud.feec.vutbr.cz>
[not found] ` <20050610222645.GA1317@pcw.home.local>
[not found] ` <20050610.154248.130848042.davem@davemloft.net>
[not found] ` <20050611062413.GA1324@pcw.home.local>
2005-06-11 7:43 ` Willy Tarreau [this message]
2005-06-11 19:32 ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Herbert Xu
2005-06-11 19:51 ` Willy Tarreau
[not found] ` <20050611195144.GF28759@alpha.home.local>
2005-06-12 8:13 ` Herbert Xu
[not found] ` <20050612081327.GA24384@gondor.apana.org.au>
2005-06-12 8:34 ` Willy Tarreau
[not found] ` <20050612083409.GA8220@alpha.home.local>
2005-06-12 10:30 ` Herbert Xu
[not found] ` <20050612103020.GA25111@gondor.apana.org.au>
2005-06-12 11:40 ` Willy Tarreau
[not found] ` <20050612114039.GI28759@alpha.home.local>
2005-06-12 12:06 ` Herbert Xu
[not found] ` <20050612120627.GA5858@gondor.apana.org.au>
2005-06-12 12:22 ` Thomas Graf
2005-06-12 12:32 ` Willy Tarreau
[not found] ` <20050612123253.GK28759@alpha.home.local>
2005-06-12 13:13 ` Herbert Xu
[not found] ` <20050612131323.GA10188@gondor.apana.org.au>
2005-06-12 13:33 ` Herbert Xu
2005-06-12 13:36 ` Willy Tarreau
2005-06-12 14:44 ` Thomas Graf
[not found] ` <20050612144426.GC22463@postel.suug.ch>
2005-06-12 15:02 ` Willy Tarreau
[not found] ` <20050612133349.GA6279@gondor.apana.org.au>
2005-06-12 13:47 ` Willy Tarreau
[not found] ` <20050612134725.GB8951@alpha.home.local>
2005-06-12 13:50 ` Herbert Xu
2005-06-12 14:24 ` Willy Tarreau
[not found] ` <20050612142401.GA10772@alpha.home.local>
2005-06-13 4:48 ` Herbert Xu
[not found] ` <20050613044810.GA32103@gondor.apana.org.au>
2005-06-13 5:21 ` Willy Tarreau
[not found] ` <20050613052148.GF8907@alpha.home.local>
[not found] ` <20050613052404.GA7611@gondor.apana.org.au>
2005-06-13 6:17 ` Willy Tarreau
[not found] ` <20050613061748.GA13144@alpha.home.local>
2005-06-13 7:45 ` Herbert Xu
[not found] ` <20050612122247.GB22463@postel.suug.ch>
2005-06-12 13:16 ` Herbert Xu
2005-06-12 17:10 ` Denis Vlasenko
2005-06-12 17:36 ` Willy Tarreau
2005-06-12 17:47 ` Denis Vlasenko
2005-06-12 18:14 ` Willy Tarreau
2005-06-13 2:04 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050611074350.GD28759@alpha.home.local \
--to=willy@w.ods.org \
--cc=alastair@unixtrix.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=xschmi00@stud.feec.vutbr.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).