oss-sec mailing list archives
Re: CVE Request -- kernel: tcp: drop SYN+FIN messages
From: John Haxby <john.haxby () oracle com>
Date: Thu, 07 Jun 2012 08:31:51 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/06/12 20:12, Kurt Seifried wrote:
In my limited testing with iptables on RHEL 6.2 it appears that --state NEW works properly, and won't allow SYN+FIN to create connections (I used hping3 and the SYN+FIN Packets were blocked). So the default ruleset: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited should work, so you could do you clever --syn bits first and then have that set to protect stuff from SYN+FIN.
What happens if you have "-j ACCEPT" instead of "-j DROP"? I would expect that sshd wouldn't see the connection but you would get all the unpleasant side effects that made T/TCP deprecated. jch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk/QWOYACgkQRQu7fpQvo8i5MwEAiJseTDYDaW2AsQaAz444Y7gv Qjbh/Y9rPosBsO0QFlYA/jTuPFgSN38RNVI3l78kh7Cwh9zrBVIXKDG3JPTxakuc =rjvP -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages, (continued)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Florian Weimer (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Florian Weimer (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 08)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)