Date: Sun, 8 Jul 2001 03:31:59 -0500 From: John Cappiello <john@apt202.net> To: freebsd-stable@freebsd.org Subject: Re: Headsup: Tcp ISN generation changes from 4.2 to 4.3 Message-ID: <20010708033159.A19667@localhost> In-Reply-To: <20010707002821.A18599-100000@achilles.silby.com>; from silby@silby.com on Sat, Jul 07, 2001 at 10:30:26PM -0500 References: <20010707002821.A18599-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sat, Jul 07, 2001 at 10:30:26PM -0500, Mike Silbersack wrote: > > If you are running 4.3-release or later, please read the entirety of this > message; you are probably affected. > > Shortly before 4.3-release was tagged, the tcp initial sequence number > generation scheme was changed to fix a weakness which could allow an > attacker to reset connections. At that time, it was known that the fix > would also break TIME_WAIT handling. The impact of this breakage was > expected to be small. Unfortunately, recent reports on -net seem to > indicate that the breakage is widespread. > > Consequently, I have just committed patches to -current and -stable which > allow you to select the tcp initial sequence number generation scheme used > by your system. If you don't wish to cvsup just for this patch, you may > instead obtain it from http://www.silby.com/patches/multiple_isn_schemes.patch > and manually apply the patch yourself. > > Once a patched / updated kernel is installed, you can change generation > schemes with the sysctl net.inet.tcp.tcp_seq_genscheme. 0 = the older > random positive increments, 1 = the newer randomized scheme. > > The newer scheme causes problems in cases where a FreeBSD is making many > outgoing connections per second to the same host. For example, you may > have a box which connects to a backend SQL server. If you have such a > setup, you are probably seeing many rejected connections each second / > other oddities in connection setup. If this is the case, you should > update and toggle the system back to random positive increments. > > The newer scheme causes no problems in accepting incoming connections. As > a result, you will probably see no problems if your servers mainly handle > incoming requests and do not make many outgoing requests of their own. > > This sysctl will only be temporary. Once a secure _and_ compatible > initial sequence number generation scheme is implemented, it will become > the default. This will be at least a few weeks away, however. If you are > seeing the problems described above, you should cvsup (or patch) and flip > the sysctl now, rather than wait. I'm sorry, but I just want to make sure I have this right. I checked my logs but did not see any report of this problem. Is there anywhere specific I should be looking for this error? I just don't want to assume I'm not affected by this, and be wrong. > > Mike "Silby" Silbersack > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > > Thanks, John [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7SBp/7tlm0/lPd78RAiw+AJwMZtAPcZADWYiIJrOU6NcZ61EB1QCbBr2X o0AkchY0BLMA5O9lp5mZQ/g= =vqed -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010708033159.A19667>