Re: Recent troubles

[avalon () coombs anu edu au (Darren Reed)]

> Someone replied to my
>
> > > If I had source, I'd probably corrupt tcp_iss on not only received
> > > packets but also [...].
>
> with
>
> > You should read RFC 793 (if you haven't).
>
> This was all; there was no indication _what_ in RFC793 was felt
> relevant.  (RFC793 is the TCP spec.)

I did, but not to the list.  But anyway...

> I assume the section being talked about is the following part of 3.3;
> this is a serious enough point that I think it's worth sending this to
> the whole list, especially since I didn't mention this with the code I
> posted.
>
> +----------------
> | Initial Sequence Number Selection
> |
> | The protocol places no restriction on a particular connection being
> | used over and over again.  A connection is defined by a pair of
> | sockets.  New instances of a connection will be referred to as
> | incarnations of the connection.  The problem that arises from this is
> | -- "how does the TCP identify duplicate segments from previous
> | incarnations of the connection?"  This problem becomes apparent if
> | the connection is being opened and closed in quick succession, or if
> | the connection breaks with loss of memory and is then reestablished.
> |
> | To avoid confusion we must prevent segments from one incarnation of a
> | connection from being used while the same sequence numbers may still
> | be present in the network from an earlier incarnation.  We want to
> | assure this, even if a TCP crashes and loses all knowledge of the
> | sequence numbers it has been using.  When new connections are
> | created, an initial sequence number (ISN) generator is employed which
> | selects a new 32 bit ISN.  The generator is bound to a (possibly
> | fictitious) 32 bit clock whose low order bit is incremented roughly
> | every 4 microseconds.  Thus, the ISN cycles approximately every 4.55
> | hours.  Since we assume that segments will stay in the network no
> | more than the Maximum Segment Lifetime (MSL) and that the MSL is less
> | than 4.55 hours we can reasonably assume that ISN's will be unique.
> +----------------
>
> Yes, the tactic I described (and implemented) for generating
> harder-to-guess ISNs violates this spec.  Like any method that
> generates "random" ISNs, it runs the risk that old segments may be
> mistaken for data on newly-established connections.
>
> Several factors combine to make me ignore this risk.
>
> First is that, assuming the method does generate reasonably random
> ISNs, it's unlikely.  For a 4K maximum window size, it would require a
> one-in-a-million coincidence (4G/4K), and even then it would have to
> hit all the unlikely items below.  (For fat-pipe TCP, the chance is
> higher; for a half-meg window, for example, it's more like one in
> 8192.)

how quickly can you send 1MB of data from host to host ?
10 seconds (best) ?

> Third is that the new connection must use exactly the same port numbers
> as the old.  Unless the other end of the connection crashes too, this
> is extremely unlikely because it will have a TIME_WAIT socket sitting
> around preventing this.

What about SO_REUSEADDR or do you disable this in all programs you
compile ? (A lot enable it to stop TIME_WAIT connections building up in
the kernel).

> Fourth is the quiet time on TCP reboot, specifically for old segments
> to run out of TTL.  If and when machines reboot fast enough for this to
> be a problem, their TCPs need to be taught about this anyway, and that
> should take care of it.

eh ? TTL rarely works as you say...nearly always a hop count thing.

> Thus, I'll take the resistance to known attacks over the small risk
> that two simultaneous host crashes, a very peculiar routing glitch,
> extremely accelerated reboots, and a fluke somewhere between one in
> 8192 and one in 2^20 all conflue to corrupt a connection.
>
> You may choose differently.  You're welcome to.
>
> Unless of course you can suggest some better solution, something I can
> implement in (say) less than 48 hours (my defense was done the same
> afternoon I did the defense against LKMs and /dev/*mem).  I agree that
> TCP needs to be redesigned...but that's not much help when machines are
> being attacked _today_.  I'll be glad to talk redesign, once I have
> some insulation against existing crackers.

Oh, I thought it was obvious, just ensure that the seq# changes more
often than it does and with some (large) uncertainty.  Although you have
a nice CRC algorithm there, it (a) doesn't appear to handle the case
where tcp_iss should wrap (TCP_COMPAT_42) (b) can be calculated.  Every
so often, despite your attempts, it will go back to 0 (tcp_iss) and from
there you can do the math yourself.  So the game becomes to get a packet
to be the first in after tcp_iss goes back to 0...the crackers have your
code, they can do the math themselves.

Surely there is a timing routing in the kernel somewhere which you could
plug a bit of extra assembly in...