oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request for Quick Blind TCP Connection Spoofing with SYN Cookies

From: Marcus Meissner <meissner () suse de>
Date: Mon, 10 Mar 2014 17:17:40 +0100
Hi,

Did this issue:
http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/
ever get a CVE or should it get one?

At least some hardening measures have been implemented now:
http://thread.gmane.org/gmane.comp.security.oss.general/10875

Made "4 times" harder in 3.13 by these two patches:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906
commit 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906
Author: Florian Westphal <fw () strlen de>
Date:   Fri Sep 20 22:32:55 2013 +0200

    tcp: syncookies: reduce cookie lifetime to 128 seconds
    
    We currently accept cookies that were created less than 4 minutes ago
    (ie, cookies with counter delta 0-3).  Combined with the 8 mss table
    values, this yields 32 possible values (out of 2**32) that will be valid.
    
    Reducing the lifetime to < 2 minutes halves the guessing chance while
    still providing a large enough period.
    
    While at it, get rid of jiffies value -- they overflow too quickly on
    32 bit platforms.
    
    getnstimeofday is used to create a counter that increments every 64s.
    perf shows getnstimeofday cost is negible compared to sha_transform;
    normal tcp initial sequence number generation uses getnstimeofday, too.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086293542b991fb88a2e41ae7b4f82ac65a20e1a
commit 086293542b991fb88a2e41ae7b4f82ac65a20e1a
Author: Florian Westphal <fw () strlen de>
Date:   Fri Sep 20 22:32:56 2013 +0200

    tcp: syncookies: reduce mss table to four values

    Halve mss table size to make blind cookie guessing more difficult.
    This is sad since the tables were already small, but there
    is little alternative except perhaps adding more precise mss information
    in the tcp timestamp.  Timestamps are unfortunately not ubiquitous.

    Guessing all possible cookie values still has 8-in 2**32 chance.


Ciao, Marcus
Previous By Date Next
Previous By Thread Next

Current thread: