lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADVnQykQLHBgDLwMd63b5dwnFUbikeQ_-Jp9mjDTNQObS0Z7=Q@mail.gmail.com>
Date:	Thu, 15 Aug 2013 20:34:09 -0400
From:	Neal Cardwell <ncardwell@...gle.com>
To:	Jiri Bohac <jbohac@...e.cz>
Cc:	Jakob Lell <jakob@...oblell.com>, Netdev <netdev@...r.kernel.org>,
	David Miller <davem@...emloft.net>
Subject: Re: [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate
 spoofing attacks

On Thu, Aug 15, 2013 at 8:00 PM, Jiri Bohac <jbohac@...e.cz> wrote:
> (compile-tested only)
>
> Jakob Lell discovered that the sequence number that needs to be guessed to
> successfully spoof a TCP connection with syncookies only has 27 bits of
> entropy. Of the 32 bits, 2 bits are wasted by the four differrent timestamps
> accepted and 3 are wasted by the 8 differrent RSS values. [1]
>
> This patch slows down the timer used in syncookies from 1/60 Hz to 1/60/4 Hz
> so that at any moment only two differrent timer values can be accepted.
> As a result, 1 bit of sequence number entropy is gained.
>
> This changes the maximum cookie age limit from 4 - 5 minutes to 4 - 8 minutes.
>
> [1]: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/
>
> Signed-off-by: Jiri Bohac <jbohac@...e.cz>
...

>  /*
> - * This (misnamed) value is the age of syncookie which is permitted.
> + * This value is the age (in seconds) of syncookies which will always be

I believe (hope?) you mean minutes here, rather than seconds. :-) Same
typo occurs in 2 spots each for IPv4 and IPv6.

neal
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ