From: Willy Tarreau <willy@w.ods.org>
To: Denis Vlasenko <vda@ilport.com.ua>
Cc: "David S. Miller" <davem@davemloft.net>,
xschmi00@stud.feec.vutbr.cz, alastair@unixtrix.com,
linux-kernel@vger.kernel.org, netdev@oss.sgi.com
Subject: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Date: Sun, 12 Jun 2005 19:36:14 +0200 [thread overview]
Message-ID: <20050612173614.GA11157@alpha.home.local> (raw)
In-Reply-To: <200506122010.33075.vda@ilport.com.ua>
On Sun, Jun 12, 2005 at 08:10:33PM +0300, Denis Vlasenko wrote:
> > Does it seem appropriate for mainline ? In this case, I would also backport
> > it to 2.4 and send it to you for inclusion.
>
> It does not contain a comment why it is configurable.
You're right. Better with this ?
Willy
--
diff -pruNX dontdiff linux-2.6.11.11/Documentation/networking/ip-sysctl.txt linux-2.6.11.11-tcp/Documentation/networking/ip-sysctl.txt
--- linux-2.6.11.11/Documentation/networking/ip-sysctl.txt Sun Mar 6 13:08:46 2005
+++ linux-2.6.11.11-tcp/Documentation/networking/ip-sysctl.txt Sun Jun 12 19:28:50 2005
@@ -368,6 +368,27 @@ tcp_frto - BOOLEAN
where packet loss is typically due to random radio interference
rather than intermediate router congestion.
+tcp_simult_connect - BOOLEAN
+ Enables TCP simultaneous connect feature conforming to RFC793.
+ Strict implementation of RFC793 (TCP) requires support for a feature
+ called "simultaneous connect", which allows two clients to connect to
+ each other without anyone entering a listening state. While almost
+ never used, and supported by few OSes, Linux supports this feature.
+
+ However, it introduces a weakness in the protocol which makes it very
+ easy for an attacker to prevent a client from connecting to a known
+ server. The attacker only has to guess the source port to shut down
+ the client connection during its establishment. The impact is limited,
+ but it may be used to prevent an antivirus or IPS from fetching updates
+ and not detecting an attack, or to prevent an SSL gateway from fetching
+ a CRL for example.
+
+ If you want backwards compatibility with every possible application,
+ you should set it to 1. If you prefer to enhance security on your
+ systems at the risk of breaking very rare specific applications, you'd
+ better let it to 0.
+ Default: 0
+
somaxconn - INTEGER
Limit of socket listen() backlog, known in userspace as SOMAXCONN.
Defaults to 128. See also tcp_max_syn_backlog for additional tuning
diff -pruNX dontdiff linux-2.6.11.11/include/linux/sysctl.h linux-2.6.11.11-tcp/include/linux/sysctl.h
--- linux-2.6.11.11/include/linux/sysctl.h Sun Jun 12 10:44:01 2005
+++ linux-2.6.11.11-tcp/include/linux/sysctl.h Sat Jun 11 09:00:22 2005
@@ -345,6 +345,7 @@ enum
NET_TCP_MODERATE_RCVBUF=106,
NET_TCP_TSO_WIN_DIVISOR=107,
NET_TCP_BIC_BETA=108,
+ NET_TCP_SIMULT_CONNECT=109,
};
enum {
diff -pruNX dontdiff linux-2.6.11.11/include/net/tcp.h linux-2.6.11.11-tcp/include/net/tcp.h
--- linux-2.6.11.11/include/net/tcp.h Sun Jun 12 10:44:01 2005
+++ linux-2.6.11.11-tcp/include/net/tcp.h Sat Jun 11 08:56:16 2005
@@ -608,6 +608,7 @@ extern int sysctl_tcp_bic_low_window;
extern int sysctl_tcp_bic_beta;
extern int sysctl_tcp_moderate_rcvbuf;
extern int sysctl_tcp_tso_win_divisor;
+extern int sysctl_tcp_simult_connect;
extern atomic_t tcp_memory_allocated;
extern atomic_t tcp_sockets_allocated;
diff -pruNX dontdiff linux-2.6.11.11/net/ipv4/sysctl_net_ipv4.c linux-2.6.11.11-tcp/net/ipv4/sysctl_net_ipv4.c
--- linux-2.6.11.11/net/ipv4/sysctl_net_ipv4.c Sun Jun 12 10:44:01 2005
+++ linux-2.6.11.11-tcp/net/ipv4/sysctl_net_ipv4.c Sat Jun 11 08:55:27 2005
@@ -690,6 +690,14 @@ ctl_table ipv4_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+ {
+ .ctl_name = NET_TCP_SIMULT_CONNECT,
+ .procname = "tcp_simult_connect",
+ .data = &sysctl_tcp_simult_connect,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
{ .ctl_name = 0 }
};
diff -pruNX dontdiff linux-2.6.11.11/net/ipv4/tcp_input.c linux-2.6.11.11-tcp/net/ipv4/tcp_input.c
--- linux-2.6.11.11/net/ipv4/tcp_input.c Sun Jun 12 10:44:01 2005
+++ linux-2.6.11.11-tcp/net/ipv4/tcp_input.c Sun Jun 12 19:33:56 2005
@@ -84,6 +84,7 @@ int sysctl_tcp_adv_win_scale = 2;
int sysctl_tcp_stdurg;
int sysctl_tcp_rfc1337;
+int sysctl_tcp_simult_connect;
int sysctl_tcp_max_orphans = NR_FILE;
int sysctl_tcp_frto;
int sysctl_tcp_nometrics_save;
@@ -4620,10 +4621,12 @@ discard:
if (tp->rx_opt.ts_recent_stamp && tp->rx_opt.saw_tstamp && tcp_paws_check(&tp->rx_opt, 0))
goto discard_and_undo;
- if (th->syn) {
+ if (th->syn && sysctl_tcp_simult_connect) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
* Particularly, it can be connect to self.
+ * This feature is disabled by default as it introduces a
+ * weakness in the protocol. It can be enabled by a sysctl.
*/
tcp_set_state(sk, TCP_SYN_RECV);
next prev parent reply other threads:[~2005-06-12 17:36 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <42A9C607.4030209@unixtrix.com>
[not found] ` <42A9BA87.4010600@stud.feec.vutbr.cz>
[not found] ` <20050610222645.GA1317@pcw.home.local>
[not found] ` <20050610.154248.130848042.davem@davemloft.net>
[not found] ` <20050611062413.GA1324@pcw.home.local>
2005-06-11 7:43 ` [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Willy Tarreau
2005-06-11 19:32 ` Herbert Xu
2005-06-11 19:51 ` Willy Tarreau
[not found] ` <20050611195144.GF28759@alpha.home.local>
2005-06-12 8:13 ` Herbert Xu
[not found] ` <20050612081327.GA24384@gondor.apana.org.au>
2005-06-12 8:34 ` Willy Tarreau
[not found] ` <20050612083409.GA8220@alpha.home.local>
2005-06-12 10:30 ` Herbert Xu
[not found] ` <20050612103020.GA25111@gondor.apana.org.au>
2005-06-12 11:40 ` Willy Tarreau
[not found] ` <20050612114039.GI28759@alpha.home.local>
2005-06-12 12:06 ` Herbert Xu
[not found] ` <20050612120627.GA5858@gondor.apana.org.au>
2005-06-12 12:22 ` Thomas Graf
2005-06-12 12:32 ` Willy Tarreau
[not found] ` <20050612123253.GK28759@alpha.home.local>
2005-06-12 13:13 ` Herbert Xu
[not found] ` <20050612131323.GA10188@gondor.apana.org.au>
2005-06-12 13:33 ` Herbert Xu
2005-06-12 13:36 ` Willy Tarreau
2005-06-12 14:44 ` Thomas Graf
[not found] ` <20050612144426.GC22463@postel.suug.ch>
2005-06-12 15:02 ` Willy Tarreau
[not found] ` <20050612133349.GA6279@gondor.apana.org.au>
2005-06-12 13:47 ` Willy Tarreau
[not found] ` <20050612134725.GB8951@alpha.home.local>
2005-06-12 13:50 ` Herbert Xu
2005-06-12 14:24 ` Willy Tarreau
[not found] ` <20050612142401.GA10772@alpha.home.local>
2005-06-13 4:48 ` Herbert Xu
[not found] ` <20050613044810.GA32103@gondor.apana.org.au>
2005-06-13 5:21 ` Willy Tarreau
[not found] ` <20050613052148.GF8907@alpha.home.local>
[not found] ` <20050613052404.GA7611@gondor.apana.org.au>
2005-06-13 6:17 ` Willy Tarreau
[not found] ` <20050613061748.GA13144@alpha.home.local>
2005-06-13 7:45 ` Herbert Xu
[not found] ` <20050612122247.GB22463@postel.suug.ch>
2005-06-12 13:16 ` Herbert Xu
2005-06-12 17:10 ` Denis Vlasenko
2005-06-12 17:36 ` Willy Tarreau [this message]
2005-06-12 17:47 ` Denis Vlasenko
2005-06-12 18:14 ` Willy Tarreau
2005-06-13 2:04 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050612173614.GA11157@alpha.home.local \
--to=willy@w.ods.org \
--cc=alastair@unixtrix.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=vda@ilport.com.ua \
--cc=xschmi00@stud.feec.vutbr.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).