Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)

On Sun, Jun 12, 2005 at 11:50:18PM +1000, Herbert Xu wrote:
> On Sun, Jun 12, 2005 at 03:47:25PM +0200, Willy Tarreau wrote:
> > 
> > Yes, but only if there's an ACK and the ACK is exactly equal to snd_next,
> > so the connection will survive.
> 
> Sorry I wasn't thinking straight.
> 
> > 
> > > My point is that there are many ways to kill TCP connections in ways
> > > similar to what you proposed initially so it isn't that special.
> > 
> > No, there are plenty of ways to kill TCP connections when you can guess
> > the window (which is more and more easy thanks to window scaling). But
> > I have yet found no way to kill a TCP session without this info, except
> > by exploiting the simultaneous connect feature.
> 
> I still stand by this point though.  The most obvious thing I can think
> of right now is to change your attack to simply connect to kernel.org's
> webserver first from source port 10000.  That will cause the real SYN
> packet to fail the sequence number check.

This case is interesting, but it will be resolved in two possible ways :
1) no firewall in front of A
  - C spoofs A and sends a fake SYN to B
  - B responds to A with a SYN-ACK
  - A sends an RST to B, which clears the session
  - A wants to connect and sends its SYN to B which accepts it.

2) A behind a firewall
  - C spoofs A and sends a fake SYN to B
  - B responds to A with a SYN-ACK, which does not reach A (firewall, etc...)
  - A tries to connect to B and sends its SYN with a different SEQ
  - B responds to A with only an ACK (no SYN) indicating the expected SEQ.
  - A responds to B's ACK with an RST and B flushes its session too.
  - A resends its SYN to B which accepts it.
 
Cheers,
Willy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>

References:
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Willy Tarreau <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Willy Tarreau <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Willy Tarreau <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Willy Tarreau <[email protected]>
- Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
  - From: Herbert Xu <[email protected]>

Prev by Date: Re: [patch] Real-Time Preemption, -RT-2.6.12-rc6-V0.7.48-00
Next by Date: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Previous by thread: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Next by thread: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]