| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1173262c-a471-683f-9e00-abc8192c9ca8@blackhole.kfki.hu>
Date: Sat, 6 Jul 2024 18:16:13 +0200 (CEST)
From: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
To: Florian Westphal <fw@...len.de>
cc: yyxRoy <yyxroy22@...il.com>, pablo@...filter.org,
gregkh@...uxfoundation.org, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, yyxRoy <979093444@...com>
Subject: Re: [PATCH] netfilter: conntrack: tcp: do not lower timeout to CLOSE
for in-window RSTs
On Fri, 5 Jul 2024, Florian Westphal wrote:
> yyxRoy <yyxroy22@...il.com> wrote:
> > With previous commit https://github.com/torvalds/linux/commit/be0502a
> > ("netfilter: conntrack: tcp: only close if RST matches exact sequence")
> > to fight against TCP in-window reset attacks, current version of netfilter
> > will keep the connection state in ESTABLISHED, but lower the timeout to
> > that of CLOSE (10 seconds by default) for in-window TCP RSTs, and wait for
> > the peer to send a challenge ack to restore the connection timeout
> > (5 mins in tests).
> >
> > However, malicious attackers can prevent incurring challenge ACKs by
> > manipulating the TTL value of RSTs. The attacker can probe the TTL value
> > between the NAT device and itself and send in-window RST packets with
> > a TTL value to be decreased to 0 after arriving at the NAT device.
> > This causes the packet to be dropped rather than forwarded to the
> > internal client, thus preventing a challenge ACK from being triggered.
> > As the window of the sequence number is quite large (bigger than 60,000
> > in tests) and the sequence number is 16-bit, the attacker only needs to
> > send nearly 60,000 RST packets with different sequence numbers
> > (i.e., 1, 60001, 120001, and so on) and one of them will definitely
> > fall within in the window.
> >
> > Therefore we can't simply lower the connection timeout to 10 seconds
> > (rather short) upon receiving in-window RSTs. With this patch, netfilter
> > will lower the connection timeout to that of CLOSE only when it receives
> > RSTs with exact sequence numbers (i.e., old_state != new_state).
>
> This effectively ignores most RST packets, which will clog up the
> conntrack table (established timeout is 5 days).
>
> I don't think there is anything sensible that we can do here.
>
> Also, one can send train with data packet + rst and we will hit
> the immediate close conditional:
>
> /* Check if rst is part of train, such as
> * foo:80 > bar:4379: P, 235946583:235946602(19) ack 42
> * foo:80 > bar:4379: R, 235946602:235946602(0) ack 42
> */
> if (ct->proto.tcp.last_index == TCP_ACK_SET &&
> ct->proto.tcp.last_dir == dir &&
> seq == ct->proto.tcp.last_end)
> break;
>
> So even if we'd make this change it doesn't prevent remote induced
> resets.
>
> Conntrack cannot validate RSTs precisely due to lack of information,
> only the endpoints can do this.
I fully agree with Florian: conntrack plays the role of a middle box and
cannot absolutely know the right seq/ack numbers of the client/server
sides. Add NAT on top of that and there are a couple of ways to attack a
given traffic. I don't see a way by which the checkings/parameters could
be tightened without blocking real traffic.
Best regards,
Jozsef
--
E-mail : kadlec@...ckhole.kfki.hu, kadlecsik.jozsef@...ner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
Powered by blists - more mailing lists