oss-sec mailing list archives
CVE Request for Quick Blind TCP Connection Spoofing with SYN Cookies
From: Marcus Meissner <meissner () suse de>
Date: Mon, 10 Mar 2014 17:17:40 +0100
Hi, Did this issue: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ ever get a CVE or should it get one? At least some hardening measures have been implemented now: http://thread.gmane.org/gmane.comp.security.oss.general/10875 Made "4 times" harder in 3.13 by these two patches: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 commit 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 Author: Florian Westphal <fw () strlen de> Date: Fri Sep 20 22:32:55 2013 +0200 tcp: syncookies: reduce cookie lifetime to 128 seconds We currently accept cookies that were created less than 4 minutes ago (ie, cookies with counter delta 0-3). Combined with the 8 mss table values, this yields 32 possible values (out of 2**32) that will be valid. Reducing the lifetime to < 2 minutes halves the guessing chance while still providing a large enough period. While at it, get rid of jiffies value -- they overflow too quickly on 32 bit platforms. getnstimeofday is used to create a counter that increments every 64s. perf shows getnstimeofday cost is negible compared to sha_transform; normal tcp initial sequence number generation uses getnstimeofday, too. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086293542b991fb88a2e41ae7b4f82ac65a20e1a commit 086293542b991fb88a2e41ae7b4f82ac65a20e1a Author: Florian Westphal <fw () strlen de> Date: Fri Sep 20 22:32:56 2013 +0200 tcp: syncookies: reduce mss table to four values Halve mss table size to make blind cookie guessing more difficult. This is sad since the tables were already small, but there is little alternative except perhaps adding more precise mss information in the tcp timestamp. Timestamps are unfortunately not ubiquitous. Guessing all possible cookie values still has 8-in 2**32 chance. Ciao, Marcus
Current thread:
- CVE Request for Quick Blind TCP Connection Spoofing with SYN Cookies Marcus Meissner (Mar 10)
- Re: CVE Request for Quick Blind TCP Connection Spoofing with SYN Cookies cve-assign (Mar 12)