lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Aug 2013 02:05:23 +0200 From: Jiri Bohac <jbohac@...e.cz> To: Jiri Bohac <jbohac@...e.cz> Cc: Jakob Lell <jakob@...oblell.com>, netdev@...r.kernel.org, davem@...emloft.net Subject: [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks Jakob Lell discovered that the sequence number that needs to be guessed to successfully spoof a TCP connection with syncookies only has 27 bits of entropy. Of the 32 bits, 3 are wasted by the 8 differrent RSS values. [1] This patch decreases the number of possible MSS values from 8 to 3, making the spoofing attack 8/3 times more difficult. Rationale for the new values - most packets are (1500 - headers); (1450 - headers) is not a huge waste and prevents fallback to much lower values - clients will rarely send MSS below 536, so that's a safe fallback - we need to keep the minimum (64) [1]: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ Signed-off-by: Jiri Bohac <jbohac@...e.cz> --- net/ipv4/syncookies.c | 9 ++------- net/ipv6/syncookies.c | 9 ++------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index af0692f..0504bbe 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c @@ -148,15 +148,10 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr, int sysctl_tcp4_syncookies_mss[TCP_SYNCOOKIES_MSS_COUNT_MAX] = { 64, 512, - 536, - 1024, - 1440, - 1460, - 4312, - 8960, + 1450 - 40, /* update sysctl_tcp4_syncookies_mss_count accordingly */ }; -int sysctl_tcp4_syncookies_mss_count = 8; +int sysctl_tcp4_syncookies_mss_count = 3; /* * This value is the age (in seconds) of syncookies which will always be diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c index 4268448..ccdb880 100644 --- a/net/ipv6/syncookies.c +++ b/net/ipv6/syncookies.c @@ -28,15 +28,10 @@ int sysctl_tcp6_syncookies_mss[TCP_SYNCOOKIES_MSS_COUNT_MAX] = { 64, 512, - 536, - 1280 - 60, - 1480 - 60, - 1500 - 60, - 4460 - 60, - 9000 - 60, + 1450 - 60, /* update sysctl_tcp6_syncookies_mss_count accordingly */ }; -int sysctl_tcp6_syncookies_mss_count = 8; +int sysctl_tcp6_syncookies_mss_count = 3; /* * This value is the age (in seconds) of syncookies which will always be -- Jiri Bohac <jbohac@...e.cz> SUSE Labs, SUSE CZ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists