| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Aug 2013 20:34:09 -0400 From: Neal Cardwell <ncardwell@...gle.com> To: Jiri Bohac <jbohac@...e.cz> Cc: Jakob Lell <jakob@...oblell.com>, Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net> Subject: Re: [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate spoofing attacks On Thu, Aug 15, 2013 at 8:00 PM, Jiri Bohac <jbohac@...e.cz> wrote: > (compile-tested only) > > Jakob Lell discovered that the sequence number that needs to be guessed to > successfully spoof a TCP connection with syncookies only has 27 bits of > entropy. Of the 32 bits, 2 bits are wasted by the four differrent timestamps > accepted and 3 are wasted by the 8 differrent RSS values. [1] > > This patch slows down the timer used in syncookies from 1/60 Hz to 1/60/4 Hz > so that at any moment only two differrent timer values can be accepted. > As a result, 1 bit of sequence number entropy is gained. > > This changes the maximum cookie age limit from 4 - 5 minutes to 4 - 8 minutes. > > [1]: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ > > Signed-off-by: Jiri Bohac <jbohac@...e.cz> ... > /* > - * This (misnamed) value is the age of syncookie which is permitted. > + * This value is the age (in seconds) of syncookies which will always be I believe (hope?) you mean minutes here, rather than seconds. :-) Same typo occurs in 2 spots each for IPv4 and IPv6. neal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists