From owner-freebsd-net@FreeBSD.ORG  Sun Jul  3 00:35:58 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E85A716A425;
	Sun,  3 Jul 2005 00:35:58 +0000 (GMT) (envelope-from ps@mu.org)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1C34144033;
	Sun,  3 Jul 2005 00:19:47 +0000 (GMT) (envelope-from ps@mu.org)
Received: by elvis.mu.org (Postfix, from userid 1000)
	id 92BFA62003; Sat,  2 Jul 2005 17:19:12 -0700 (PDT)
X-Original-To: ps@mu.org
Delivered-To: ps@mu.org
Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119])
	by elvis.mu.org (Postfix) with ESMTP id 767D15C9A7
	for <ps@mu.org>; Fri, 11 Feb 2005 15:00:00 -0800 (PST)
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])
	by mx2.freebsd.org (Postfix) with ESMTP
	id BAC7462D3D; Fri, 11 Feb 2005 22:59:59 +0000 (GMT)
	(envelope-from owner-freebsd-current@freebsd.org)
Received: from hub.freebsd.org (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id D40A916A4D7; Fri, 11 Feb 2005 22:59:55 +0000 (GMT)
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C767C16A4CE; Fri, 11 Feb 2005 22:59:51 +0000 (GMT)
Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2814243D3F; Fri, 11 Feb 2005 22:59:51 +0000 (GMT)
	(envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
	by gw.catspoiler.org (8.13.1/8.13.1) with ESMTP id j1BMxdwu013455;
	Fri, 11 Feb 2005 14:59:43 -0800 (PST)
	(envelope-from truckman@FreeBSD.org)
Message-Id: <200502112259.j1BMxdwu013455@gw.catspoiler.org>
From: Don Lewis <truckman@FreeBSD.org>
To: oppermann@networx.ch
In-Reply-To: <420D1344.9DAC70D0@networx.ch>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Sender: owner-freebsd-current@freebsd.org
Errors-To: owner-freebsd-current@freebsd.org
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on elvis.mu.org
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=3.0.1
X-Spam-Level: 
Cc: freebsd-net@FreeBSD.org, qing.li@bluecoat.com, freebsd-current@FreeBSD.org
Subject: Re: known TCP vulnerability ??
X-BeenThere: freebsd-net@freebsd.org
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
Date: Sun, 03 Jul 2005 00:35:59 -0000
X-Original-Date: Fri, 11 Feb 2005 14:59:39 -0800 (PST)
X-List-Received-Date: Sun, 03 Jul 2005 00:35:59 -0000

On 11 Feb, Andre Oppermann wrote:
> "Li, Qing" wrote:
>> 
>>         http://www.kb.cert.org/vuls/id/464113
>> 
>>         http://www.linuxsecurity.com/content/view/104980/98/
>> 
>>         Ran the packet tests against FreeBSD 5.3 and 6-CURRENT and both
>>         respond to the SYN+FIN packets with SYN+ACK.
> 
> This is expected behaviour because of FreeBSD used to implement T/TCP
> according to RFC1644.  I haven't removed this part from TCP because
> I have a better reincarnation of T/TCP without the previous shortcomings
> almost ready which uses this again.
> 
> The CERT article describes how dumb firewalls with poor stateful
> inspection may get fooled by this and other flag combinations.
> All I can say is it's not our fault.  The SYN+FIN combination is
> described in RFC1644 and if the firewall gets it wrong...  Well,
> the real world sucks.

We won't try to accept a new connection of either RST or ACK bits are
set along with the SYN.

                /*
                 * If the state is LISTEN then ignore segment if it contains
                 * a RST.  If the segment contains an ACK then it is bad and
                 * send a RST.  If it does not contain a SYN then it is not
                 * interesting; drop it.
                 *
                 * If the state is SYN_RECEIVED (syncache) and seg contains
                 * an ACK, but not for our SYN/ACK, send a RST.  If the seg
                 * contains a RST, check the sequence number to see if it
                 * is a valid reset segment.
                 */
                if ((thflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) {
                        if ((thflags & (TH_RST|TH_ACK|TH_SYN)) == TH_ACK) {
                [snip]
                
                }

                /*
                 * Segment's flags are (SYN) or (SYN|FIN).
                 */


The FIN flag should be harmless if it accompanies a SYN, but if it makes
you feel more comfortable, you can compile your kernel with the
TCP_DROP_SYNFIN option which gives you a sysctl knob that controls
whether or not these packets get dropped.  Typically this is done to
confuse software that attempts to identify a remote host OS by seeing
how it responds to various packets.  You might find that enabling this
option makes a host running FreeBSD look like it is running Microsoft
Windows and invite a horde of attempts to exploit various Windows
vulnerabilities ;-)


_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"