| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1322897233.2762.79.camel@edumazet-laptop> Date: Sat, 03 Dec 2011 08:27:13 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Denys Fedoryshchenko <denys@...p.net.lb> Cc: netdev@...r.kernel.org Subject: Re: SYN attack, with FIN flag set Le samedi 03 décembre 2011 à 00:29 +0200, Denys Fedoryshchenko a écrit : > Hi > > Recently i started to get SYN attacks, and managed them. > syncookies didn't helped, here is "perf report" info: > - 26.89% swapper [kernel.kallsyms] [k] _raw_spin_lock > - _raw_spin_lock > - 94.97% tcp_v4_rcv > ip_local_deliver_finish > ip_local_deliver > ip_rcv_finish > ip_rcv > __netif_receive_skb > process_backlog > net_rx_action > __do_softirq > call_softirq > do_softirq > + irq_exit > > But then i got attack that made server to choke and bypassed "--syn" > rule, and i was surprised, that stack are handling invalid combination > of flags, SYN+FIN. > Is it valid behaviour? > > in tcp_input.c, tcp_rcv_state_process(), it just does check for rst (to > discard), but maybe packet with fin set should be discarded too? I believe netfilter tcp conntrack considers SYN|FIN as INVALID Yes, we could drop SYN|FIN messages, but what prevents attacker to just use SYN messages to attack your machine ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists