From owner-freebsd-net  Fri Oct  4 11: 9:31 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 24CEE37B401
	for <net@FreeBSD.ORG>; Fri,  4 Oct 2002 11:09:30 -0700 (PDT)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 91F5343E65
	for <net@FreeBSD.ORG>; Fri,  4 Oct 2002 11:09:29 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.3/8.12.5) with ESMTP id g94I9SgQ015078
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK);
	Fri, 4 Oct 2002 14:09:29 -0400 (EDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.3/8.12.5/Submit) id g94I9Sbm015075;
	Fri, 4 Oct 2002 14:09:28 -0400 (EDT)
	(envelope-from wollman)
Date: Fri, 4 Oct 2002 14:09:28 -0400 (EDT)
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <200210041809.g94I9Sbm015075@khavrinen.lcs.mit.edu>
To: John Polstra <jdp@polstra.com>
Cc: net@FreeBSD.ORG
Subject: Re: Anyone T/TCP?
In-Reply-To: <200210041722.g94HMrbG002976@vashon.polstra.com>
References: <Pine.BSF.4.21.0210040804420.13322-100000@InterJet.elischer.org>
	<200210041722.g94HMrbG002976@vashon.polstra.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

<<On Fri, 4 Oct 2002 10:22:53 -0700 (PDT), John Polstra <jdp@polstra.com> said:

> Accepting incoming T/TCP creates a pretty serious DoS vulnerability,
> doesn't it?  The very first packet contains the request, which the
> server must act upon and reply to without further delay.  There is no
> 3-way handshake, so a simple attack using spoofed source addresses can
> impose a huge load on the victim.

None of these assertions are correct.

There is a serious vulnerability in T/TCP, but it has to do with how
the connection counts are chosen and validated.  The initial
connection between two hosts always falls back to the three-way
handshake; the second and later connections use the accelerated-open
feature.  However, the connection count used to implement accelerated
open can be spoofed with a probability of 0.5 per attempt (or even
more easily if the attacker can open a connection to the target
beforehand).  As a result, T/TCP can only be enabled safely if all the
connections to a machine can be authenticated (either embedded in the
request or below the transport layer).

T/TCP is classified as an Experimental protocol.  This means that it
is not considered adequate for widespread deployment in the Internet,
and implementations are not supposed to enable it without explicit
configuration.

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message