From: Steve Modica <modica@sgi.com>
To: Alex Pankratov <ap@swapped.cc>
Cc: "David S. Miller" <davem@redhat.com>,
netdev@oss.sgi.com, Michael Rozhavsky <mike@minantech.com>
Subject: Re: RST business
Date: Thu, 22 Apr 2004 09:11:42 -0500 [thread overview]
Message-ID: <4087D29E.6010907@sgi.com> (raw)
In-Reply-To: <40875F2F.7010204@swapped.cc>
If one of the potential causes for RST is that SEQ/ACK synchronization
has been lost, then you can't do this.
Alex Pankratov wrote:
>
> Looking at the hype around 'TCP vulnerability' the following
> occured to me, and I wonder if it makes any sense -
>
> A host may recieve legitimate RST packet only in response to
> something that it has previously sent (let's call it a 'trigger').
>
> SEQ/ACK values in RST packet are correlated to SEQ/ACK of the
> trigger. If the correlation is not there, then RST packet is
> most certainly spoofed and should be dropped even if its SEQ
> falls into host's rcpt window.
>
> In other words, it seems to be possible to stregthen ingress
> RST checking (and thus better protect against blind RST attacks)
> while maintaining _full RFC compliance_. Here's a how-to sketch.
>
> RFC 793 (page 35) states that for the connection in
> non-established state -
>
> If the incoming segment has an ACK field, the reset takes its
> sequence number from the ACK field of the segment, otherwise
> the reset has sequence number zero and the ACK field is set to
> the sum of the sequence number and segment length of the incoming
> segment.
>
> Hence the second RST check (after standard window check) is
>
> if (! pkt->seq)
> check if we've recently sent a segment without
> an ACK with (pkt->ack - pkt->seq) bytes in it
> else
> check if we've recently sent a segment with ACK
> of (pkt->seq) and with (pkt->ack - pkt->seq)
> bytes in it
>
> If RST passes the check, it's accepted. Otherwise checks continue.
>
> RFC 793 (page 36) states that for the connection in
> established state -
>
> .. elicit only an empty
> acknowledgment segment containing the current send-sequence number
> and an acknowledgment indicating the next sequence number expected
> to be received ..
>
> At this point seeing a RST means that
> (a) remote host is an ESTABLISHED state
> (b) we sent a segment that it considers not to be a part of the
> current connection
>
> And (b) is something that we can always check since we're now sure
> about (a).
>
> The above obviously requires keeping some sort of 'outbound history',
> plus (b) involves some non-trivial logic, which however seems to be
> doable from the first glance.
>
> Comments ?
>
> Alex
next prev parent reply other threads:[~2004-04-22 14:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-22 5:59 RST business Alex Pankratov
2004-04-22 7:08 ` Glen Turner
2004-04-22 14:11 ` Steve Modica [this message]
2004-04-22 15:17 ` Alex Pankratov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4087D29E.6010907@sgi.com \
--to=modica@sgi.com \
--cc=ap@swapped.cc \
--cc=davem@redhat.com \
--cc=mike@minantech.com \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).