From: Willy Tarreau <willy@w.ods.org>
To: Thomas Graf <tgraf@suug.ch>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
davem@davemloft.net, xschmi00@stud.feec.vutbr.cz,
alastair@unixtrix.com, linux-kernel@vger.kernel.org,
netdev@oss.sgi.com
Subject: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Date: Sun, 12 Jun 2005 17:02:39 +0200 [thread overview]
Message-ID: <20050612150239.GA10865@alpha.home.local> (raw)
In-Reply-To: <20050612144426.GC22463@postel.suug.ch>
On Sun, Jun 12, 2005 at 04:44:26PM +0200, Thomas Graf wrote:
> * Willy Tarreau <20050612133654.GA8951@alpha.home.local> 2005-06-12 15:36
> > > The RST packet is sent by client A using its sequence numbers. Therefore
> > > it will pass the sequence number check on server B.
> > >
> > > 4) server B resets the connection.
> >
> > No, precisely the RST sent by A will take its SEQ from C's ACK number.
> > This is why B will *not* reset the connection (again, tested) if C's ACK
> > was not within B's window.
>
> Absolutely but it relies on the other stack being correctly implemented.
> The attack would work perfectly fine if there wasn't the rule that a RST
> must not be sent in response to another RST.
Of course, if you target a buggy stack, you can expect anything.
> The attack has been successful and still is because some firewalls
> are configured to send RSTs without respecting this rule.
In fact, I voluntarily did not speak about firewalls because almost all
of them are very sensible to TCP DoSes. First of all, all those which
don't check sequence numbers will blindly kill a session when they
receive an RST. And some of the other ones will not let certain ACK
packets pass through, which will make other DoS described in this
thread effective while it should not be, by not letting the server
tell the client to reset its session when really needed.
> I like your patch and the idea behind it, it can successfully defeat the
> most simple method of preventing connections being established.
That's what I thought, too. I have another one for 2.4.31 which only adds
a CONFIG option to remove the associated code, which reduces the image by
400 bytes.
Cheers,
Willy
next prev parent reply other threads:[~2005-06-12 15:02 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <42A9C607.4030209@unixtrix.com>
[not found] ` <42A9BA87.4010600@stud.feec.vutbr.cz>
[not found] ` <20050610222645.GA1317@pcw.home.local>
[not found] ` <20050610.154248.130848042.davem@davemloft.net>
[not found] ` <20050611062413.GA1324@pcw.home.local>
2005-06-11 7:43 ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Willy Tarreau
2005-06-11 19:32 ` Herbert Xu
2005-06-11 19:51 ` Willy Tarreau
[not found] ` <20050611195144.GF28759@alpha.home.local>
2005-06-12 8:13 ` Herbert Xu
[not found] ` <20050612081327.GA24384@gondor.apana.org.au>
2005-06-12 8:34 ` Willy Tarreau
[not found] ` <20050612083409.GA8220@alpha.home.local>
2005-06-12 10:30 ` Herbert Xu
[not found] ` <20050612103020.GA25111@gondor.apana.org.au>
2005-06-12 11:40 ` Willy Tarreau
[not found] ` <20050612114039.GI28759@alpha.home.local>
2005-06-12 12:06 ` Herbert Xu
[not found] ` <20050612120627.GA5858@gondor.apana.org.au>
2005-06-12 12:22 ` Thomas Graf
2005-06-12 12:32 ` Willy Tarreau
[not found] ` <20050612123253.GK28759@alpha.home.local>
2005-06-12 13:13 ` Herbert Xu
[not found] ` <20050612131323.GA10188@gondor.apana.org.au>
2005-06-12 13:33 ` Herbert Xu
2005-06-12 13:36 ` Willy Tarreau
2005-06-12 14:44 ` Thomas Graf
[not found] ` <20050612144426.GC22463@postel.suug.ch>
2005-06-12 15:02 ` Willy Tarreau [this message]
[not found] ` <20050612133349.GA6279@gondor.apana.org.au>
2005-06-12 13:47 ` Willy Tarreau
[not found] ` <20050612134725.GB8951@alpha.home.local>
2005-06-12 13:50 ` Herbert Xu
2005-06-12 14:24 ` Willy Tarreau
[not found] ` <20050612142401.GA10772@alpha.home.local>
2005-06-13 4:48 ` Herbert Xu
[not found] ` <20050613044810.GA32103@gondor.apana.org.au>
2005-06-13 5:21 ` Willy Tarreau
[not found] ` <20050613052148.GF8907@alpha.home.local>
[not found] ` <20050613052404.GA7611@gondor.apana.org.au>
2005-06-13 6:17 ` Willy Tarreau
[not found] ` <20050613061748.GA13144@alpha.home.local>
2005-06-13 7:45 ` Herbert Xu
[not found] ` <20050612122247.GB22463@postel.suug.ch>
2005-06-12 13:16 ` Herbert Xu
2005-06-12 17:10 ` Denis Vlasenko
2005-06-12 17:36 ` Willy Tarreau
2005-06-12 17:47 ` Denis Vlasenko
2005-06-12 18:14 ` Willy Tarreau
2005-06-13 2:04 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050612150239.GA10865@alpha.home.local \
--to=willy@w.ods.org \
--cc=alastair@unixtrix.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=tgraf@suug.ch \
--cc=xschmi00@stud.feec.vutbr.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).