Date: Mon, 10 Mar 2014 17:17:40 +0100 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: CVE Request for Quick Blind TCP Connection Spoofing with SYN Cookies Hi, Did this issue: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ ever get a CVE or should it get one? At least some hardening measures have been implemented now: http://thread.gmane.org/gmane.comp.security.oss.general/10875 Made "4 times" harder in 3.13 by these two patches: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 commit 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 Author: Florian Westphal <fw@...len.de> Date: Fri Sep 20 22:32:55 2013 +0200 tcp: syncookies: reduce cookie lifetime to 128 seconds We currently accept cookies that were created less than 4 minutes ago (ie, cookies with counter delta 0-3). Combined with the 8 mss table values, this yields 32 possible values (out of 2**32) that will be valid. Reducing the lifetime to < 2 minutes halves the guessing chance while still providing a large enough period. While at it, get rid of jiffies value -- they overflow too quickly on 32 bit platforms. getnstimeofday is used to create a counter that increments every 64s. perf shows getnstimeofday cost is negible compared to sha_transform; normal tcp initial sequence number generation uses getnstimeofday, too. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086293542b991fb88a2e41ae7b4f82ac65a20e1a commit 086293542b991fb88a2e41ae7b4f82ac65a20e1a Author: Florian Westphal <fw@...len.de> Date: Fri Sep 20 22:32:56 2013 +0200 tcp: syncookies: reduce mss table to four values Halve mss table size to make blind cookie guessing more difficult. This is sad since the tables were already small, but there is little alternative except perhaps adding more precise mss information in the tcp timestamp. Timestamps are unfortunately not ubiquitous. Guessing all possible cookie values still has 8-in 2**32 chance. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ