Linux Netfilter discussions
 help / color / mirror / Atom feed
From: "Alex Judd" <alex@skywire.co.uk>
To: netfilter@vger.kernel.org
Cc: 'Alex Judd' <alex@skywire.co.uk>
Subject: Fixing TCP sequence approximation problems using iptables and tools
Date: Fri, 29 Aug 2008 18:21:42 +0100	[thread overview]
Message-ID: <00e901c909fb$b52c9950$1f85cbf0$@co.uk> (raw)

Hi list

My first post here so briefly Hi.

I wanted to see if anyone out there had any experience of using iptables and
tools to fix a vulnerability we have in the TCP of our Linux kernel which
according to our PCI evaluations leaves us open to TCP sequence
approximation hacking.

"TCP Sequence Number Approximation Based Denial of Service"

THREAT:
TCP provides stateful communications between hosts on a network. TCP
sessions are established by a three-way handshake and use random 32-bit
sequence and acknowledgement numbers to ensure the validity of traffic. A
vulnerability was reported that may permit TCP sequence numbers to be more
easily approximated by remote attackers. This issue affects products
released by multiple vendors.

Basically as far as I can see PF on OpenBSD has the ability to do this by
normalizing the TCP packets

Ref:
http://www.section6.net/wiki/index.php/Setting_up_a_Firewall_NAT_using_PF

# Normalizes packets and masks the OS's shortcomings such as SYN/FIN packets

# [scrub reassemble tcp](BID 10183) and sequence number approximation 
# bugs (BID 7487).
scrub on $extif reassemble tcp no-df random-id

Has anyone any experiences with this using a Linux based kernel to fix this?

Many thanks

Alex

Skywire | www.skywire.co.uk



                 reply	other threads:[~2008-08-29 17:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='00e901c909fb$b52c9950$1f85cbf0$@co.uk' \
    --to=alex@skywire.co.uk \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox