lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <loom.20111003T034624-148@post.gmane.org>
Date:	Mon, 3 Oct 2011 01:46:51 +0000 (UTC)
From:	venkatesh natarajan <venks@...com>
To:	netdev@...r.kernel.org
Subject: Re: GTSM and TCP accept problem

David Miller <davem <at> davemloft.net> writes:

> 
> From: Stephen Hemminger <shemminger <at> vyatta.com>
> Date: Wed, 18 Aug 2010 14:39:13 -0700
> 
> > On Mon, 16 Aug 2010 11:43:45 +0200
> > Eric Dumazet <eric.dumazet <at> gmail.com> wrote:
> > 
> >> Another idea would be to store the TTL of the SYN packet (or third
> >> packet) and let application read it after accept(), allowing it to
> >> reject the connection if it doesnt match expected TTL.
> > 
> > could be in tcp_info?
> 
> I'm sure we can squeeze a byte out of there 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo <at> vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 


I am facing the same issue with the implementation of GTSM for BGP. Typically 
the outbound TTL value set is 64. With min_ttl implementaion we set the outbound 
TTL value of 255 by default. So all bgp speakers will send out 255 in their 
connect SYN packets. Lets say we configure the min_ttl of 254 on the listen 
socket then it will allow only those peers that are 2 hops away to connect 
(Which is correct for eBGP Peers) but it will also filter out legitimate connect 
SYN packets that come from iBGP peers that are more than 2 hops away (Which I 
feel is a unexpected behavior). 

How can accept check for iBGP peers and not check for the MIN_TTL. I feel this 
could be done only by pushing the iBGP Peer ip-address information to accept so 
that it can bypass MIN_TTL Checks for them.

If I apply the MIN_TTL setsockopt on the accepted socket (Instead of seting it 
on the listen socket) then I open up the port for DOS attack at the tcp level by 
allowing attackers to establish connection and repeatedly..

Have I understood the problem correctly or have gone off-tangent on this.

Thanks
Venks


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ