From: Zhiyun Qian <zhiyunq@umich.edu>
To: Eric Dumazet <erdnetdev@gmail.com>
Cc: netdev@vger.kernel.org
Subject: Re: TCP sequence number inference attack on Linux
Date: Fri, 21 Dec 2012 14:49:03 -0500 [thread overview]
Message-ID: <CALvgte9WJRR95B5WCTavF0w3Kvf+MksZtyY4OQ=ioAe71BasCw@mail.gmail.com> (raw)
In-Reply-To: <1356118052.21834.7793.camel@edumazet-glaptop>
On Fri, Dec 21, 2012 at 2:27 PM, Eric Dumazet <erdnetdev@gmail.com> wrote:
> On Fri, 2012-12-21 at 14:10 -0500, Zhiyun Qian wrote:
>> That's good to know. However, implementing RFC 5961 alone is not
>> sufficient. Like I said, since DelayedAckLost counter is incremented
>> purely upon looking at the sequence number, regardless of the ACK
>> number. An attacker thus can still infer the sequence number based on
>> DelayedAckLost counter without knowing the right ACK number.
>>
>
>
>
>> The next question is how can the attacker eventually know the right
>> ACK number in order to inject real data. It turns out that this is not
>> hard either. First, based on the current Linux TCP stack, it accepts
>> incoming packets without ACK flag.
>
> I dont really think so.
>
> We must discard frame is th->ack is not set. (Step 5, line 6142)
>
If I am not mistaken, line 6142 in kernel v3.7.1 corresponds to
tcp_rcv_state_process(). According to the comments, "This function
implements the receiving procedure of RFC 793 for all states except
ESTABLISHED and TIME_WAIT." Are you referring to a different kernel
version?
>
>
>> Further, if ACK flag is not set,
>> ACK number will not be checked at all. See code in
>> net/ipv4/tcp_input.c, function tcp_rcv_established()
>>
>> 5547 if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
>> 5548 goto discard;
>>
>> Second, even if ACK number is always checked before accepting the
>> payload, it is still possible to infer the ACK number much like how
>> sequence number can be inferred. The details is described in Section
>> 3.4 of my paper, paragraph starting with "Client-side sequence number
>> inference".
>>
>> I'm looking at the latest kernel v3.7.1 right now. I believe the
>> problem do still exist in today's Linux.
>>
>
> It seems you know pretty well this code, I wonder why you dont send
> patches to fix the bugs...
>
> Its not like it has to be buggy forever.
>
I have never submitted any patch before...I would do it if no one else
wants to :)
>
>
next prev parent reply other threads:[~2012-12-21 19:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-21 17:58 TCP sequence number inference attack on Linux Zhiyun Qian
2012-12-21 18:31 ` Eric Dumazet
2012-12-21 18:52 ` Eric Dumazet
2012-12-21 19:13 ` Zhiyun Qian
2012-12-21 19:30 ` Eric Dumazet
2012-12-22 2:13 ` Hannes Frederic Sowa
2012-12-21 19:10 ` Zhiyun Qian
2012-12-21 19:27 ` Eric Dumazet
2012-12-21 19:49 ` Zhiyun Qian [this message]
2012-12-21 22:45 ` Eric Dumazet
2012-12-21 23:52 ` Zhiyun Qian
2012-12-22 0:01 ` Eric Dumazet
2012-12-22 0:04 ` Eric Dumazet
2012-12-22 0:08 ` Zhiyun Qian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALvgte9WJRR95B5WCTavF0w3Kvf+MksZtyY4OQ=ioAe71BasCw@mail.gmail.com' \
--to=zhiyunq@umich.edu \
--cc=erdnetdev@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).