* [PATCH 0/2] TCP conntrack patches
@ 2012-08-31 19:55 Jozsef Kadlecsik
2012-08-31 19:55 ` [PATCH 1/2] netfilter: Mark SYN/ACK packets as invalid from original direction Jozsef Kadlecsik
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2012-08-31 19:55 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso, Jan Wrobel
Hi Pablo,
Jan Wrobel wrote a nice article on off-path TCP attacks (see
http://arxiv.org/abs/1201.2074). He discovered two weaknesses
in netfilter TCP conntrack, which make such attacks easier.
The next two patches fixes the issues.
Please review them and consider applying them.
Best regards,
Jozsef
Jozsef Kadlecsik (2):
netfilter: Mark SYN/ACK packets as invalid from original direction
netfilter: Validate the sequence number of dataless ACK packets as
well
net/netfilter/nf_conntrack_proto_tcp.c | 29 ++++++++++-------------------
1 files changed, 10 insertions(+), 19 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] netfilter: Mark SYN/ACK packets as invalid from original direction 2012-08-31 19:55 [PATCH 0/2] TCP conntrack patches Jozsef Kadlecsik @ 2012-08-31 19:55 ` Jozsef Kadlecsik 2012-08-31 19:55 ` [PATCH 2/2] netfilter: Validate the sequence number of dataless ACK packets as well Jozsef Kadlecsik 2012-09-09 20:11 ` [PATCH 0/2] TCP conntrack patches Pablo Neira Ayuso 2 siblings, 0 replies; 4+ messages in thread From: Jozsef Kadlecsik @ 2012-08-31 19:55 UTC (permalink / raw) To: netfilter-devel; +Cc: Pablo Neira Ayuso, Jan Wrobel, Jozsef Kadlecsik Clients should not send such packets. By accepting them, we open up a hole by wich ephemeral ports can be discovered in an off-path attack. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/nf_conntrack_proto_tcp.c | 19 ++++++++----------- 1 files changed, 8 insertions(+), 11 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index a5ac11e..aba98f9 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { * sCL -> sSS */ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ -/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, +/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR }, /* * sNO -> sIV Too late and no reason to do anything * sSS -> sIV Client can't send SYN and then SYN/ACK * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open - * sSR -> sIG - * sES -> sIG Error: SYNs in window outside the SYN_SENT state - * are errors. Receiver will reply with RST - * and close the connection. - * Or we are not in sync and hold a dead connection. - * sFW -> sIG - * sCW -> sIG - * sLA -> sIG - * sTW -> sIG - * sCL -> sIG + * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open + * sES -> sIV Invalid SYN/ACK packets sent by the client + * sFW -> sIV + * sCW -> sIV + * sLA -> sIV + * sTW -> sIV + * sCL -> sIV */ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, -- 1.7.0.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: Validate the sequence number of dataless ACK packets as well 2012-08-31 19:55 [PATCH 0/2] TCP conntrack patches Jozsef Kadlecsik 2012-08-31 19:55 ` [PATCH 1/2] netfilter: Mark SYN/ACK packets as invalid from original direction Jozsef Kadlecsik @ 2012-08-31 19:55 ` Jozsef Kadlecsik 2012-09-09 20:11 ` [PATCH 0/2] TCP conntrack patches Pablo Neira Ayuso 2 siblings, 0 replies; 4+ messages in thread From: Jozsef Kadlecsik @ 2012-08-31 19:55 UTC (permalink / raw) To: netfilter-devel; +Cc: Pablo Neira Ayuso, Jan Wrobel, Jozsef Kadlecsik We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/nf_conntrack_proto_tcp.c | 10 ++-------- 1 files changed, 2 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index aba98f9..e046b37 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -630,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct, ack = sack = receiver->td_end; } - if (seq == end - && (!tcph->rst - || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT))) + if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT) /* - * Packets contains no data: we assume it is valid - * and check the ack value only. - * However RST segments are always validated by their - * SEQ number, except when seq == 0 (reset sent answering - * SYN. + * RST sent answering SYN. */ seq = end = sender->td_end; -- 1.7.0.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] TCP conntrack patches 2012-08-31 19:55 [PATCH 0/2] TCP conntrack patches Jozsef Kadlecsik 2012-08-31 19:55 ` [PATCH 1/2] netfilter: Mark SYN/ACK packets as invalid from original direction Jozsef Kadlecsik 2012-08-31 19:55 ` [PATCH 2/2] netfilter: Validate the sequence number of dataless ACK packets as well Jozsef Kadlecsik @ 2012-09-09 20:11 ` Pablo Neira Ayuso 2 siblings, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2012-09-09 20:11 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: netfilter-devel, Jan Wrobel Hi Jozsef, On Fri, Aug 31, 2012 at 09:55:52PM +0200, Jozsef Kadlecsik wrote: > Hi Pablo, > > Jan Wrobel wrote a nice article on off-path TCP attacks (see > http://arxiv.org/abs/1201.2074). He discovered two weaknesses > in netfilter TCP conntrack, which make such attacks easier. > The next two patches fixes the issues. > > Please review them and consider applying them. I think this can be considered security fixes, so I'll push this to 3.6-rc. Thanks Jozsef. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-09-09 20:11 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-08-31 19:55 [PATCH 0/2] TCP conntrack patches Jozsef Kadlecsik 2012-08-31 19:55 ` [PATCH 1/2] netfilter: Mark SYN/ACK packets as invalid from original direction Jozsef Kadlecsik 2012-08-31 19:55 ` [PATCH 2/2] netfilter: Validate the sequence number of dataless ACK packets as well Jozsef Kadlecsik 2012-09-09 20:11 ` [PATCH 0/2] TCP conntrack patches Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).