lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100818143913.1478acea@nehalam>
Date:	Wed, 18 Aug 2010 14:39:13 -0700
From:	Stephen Hemminger <shemminger@...tta.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Herbert Xu <herbert@...dor.apana.org.au>, netdev@...r.kernel.org
Subject: Re: GTSM and TCP accept problem

On Mon, 16 Aug 2010 11:43:45 +0200
Eric Dumazet <eric.dumazet@...il.com> wrote:

> Le samedi 14 août 2010 à 21:46 -0400, Stephen Hemminger a écrit :
> > The implementation of Generalized TTL Security has a problem
> > on the TCP accept side. Since there can be different number of
> > hops for each peer, the listener ends up doing
> > 
> >    socket
> >    bind
> >    set TTL to 255
> >    listen
> >    while (nfd = accept(peer)) {
> >      info = lookup(peer)
> >      set MINTTL to 255 - info->ttl_hops
> > 
> > 
> > The problem is that a rogue peer can still do three way
> > handshake causing the accept to succeed. But the rogue will
> > leave a stuck connection that will then have to timeout.
> > 
> > The only ways I have come up to deal with this are:
> >    * have short timeout on initial data (recycle faster)
> >    * push peer;MINTTL table down into kernel (per socket)
> >    * have BGP do this through iptables which is a non-starter
> >      for a general application that needs to run on BSD, and
> >      would mess up existing firewall rules.
> > 
> > Ideas welcome..
> > --
> 
> Another idea would be to store the TTL of the SYN packet (or third
> packet) and let application read it after accept(), allowing it to
> reject the connection if it doesnt match expected TTL.

could be in tcp_info?
-- 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ