oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- kernel: tcp: drop SYN+FIN messages

From: John Haxby <john.haxby () oracle com>
Date: Thu, 07 Jun 2012 08:31:51 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01/06/12 20:12, Kurt Seifried wrote:

In my limited testing with iptables on RHEL 6.2 it appears that
--state NEW works properly, and won't allow SYN+FIN to create
connections (I used hping3 and the SYN+FIN Packets were blocked).

So the default ruleset:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited

should work, so you could do you clever --syn bits first and then have
that set to protect stuff from SYN+FIN.


What happens if you have "-j ACCEPT" instead of "-j DROP"?   I would
expect that sshd wouldn't see the connection but you would get all the
unpleasant side effects that made T/TCP deprecated.

jch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/QWOYACgkQRQu7fpQvo8i5MwEAiJseTDYDaW2AsQaAz444Y7gv
Qjbh/Y9rPosBsO0QFlYA/jTuPFgSN38RNVI3l78kh7Cwh9zrBVIXKDG3JPTxakuc
=rjvP
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: