| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Oct 2008 08:50:34 -0700 From: Randy Dunlap <randy.dunlap@...cle.com> To: Willy Tarreau <w@....eu> Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH] add a sysctl to disable TCP simultaneous connection opening On Wed, 8 Oct 2008 10:11:09 +0200 Willy Tarreau wrote: > Documentation/networking/ip-sysctl.txt | 22 ++++++++++++++++++++++ > > diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt > index d849326..cefc894 100644 > --- a/Documentation/networking/ip-sysctl.txt > +++ b/Documentation/networking/ip-sysctl.txt > @@ -101,6 +101,28 @@ inet_peer_gc_maxtime - INTEGER > > TCP variables: > > +tcp_simult_connect - BOOLEAN > + Enables TCP simultaneous connect feature conforming to RFC793. > + Strict implementation of RFC793 (TCP) requires support for a feature > + called "simultaneous connect", which allows two clients to connect to > + each other without anyone entering a listening state. While almost > + never used, and supported by few OSes, Linux supports this feature. > + > + However, it introduces a weakness in the protocol which makes it very > + easy for an attacker to prevent a client from connecting to a known > + server. The attacker only has to guess the source port to shut down > + the client connection during its establishment. The impact is limited, > + but it may be used to prevent an antivirus or IPS from fetching updates > + and not detecting an attack, or to prevent an SSL gateway from fetching > + a CRL for example. > + > + If you want absolute compatibility with any possible application, > + you should set it to 1. If you prefer to enhance security on your > + systems you'd better let it to 0. After four years of usage on set it to 0. or did you mean: (?) let it be 0. > + hundreds of systems, no application was ever found to require this > + feature, which is not even supported by most firewalls. > + Default: 0 > + > somaxconn - INTEGER > Limit of socket listen() backlog, known in userspace as SOMAXCONN. > Defaults to 128. See also tcp_max_syn_backlog for additional tuning --- ~Randy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists