From owner-freebsd-questions@FreeBSD.ORG Thu May 19 20:31:20 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0705A16A4CE for ; Thu, 19 May 2005 20:31:20 +0000 (GMT) Received: from mail1.simplenet.com (mailer.simplenet.com [209.132.1.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id B379343D75 for ; Thu, 19 May 2005 20:31:18 +0000 (GMT) (envelope-from tt-list@simplenet.com) Received: from [209.132.9.116] (209.132.9.116) by mail1.simplenet.com (7.0.016) (authenticated as tt-list@simplenet.com) id 428C47E00000381D; Thu, 19 May 2005 13:30:38 -0700 Message-ID: <428CF69E.5050807@simplenet.com> Date: Thu, 19 May 2005 13:27:10 -0700 From: Tim Traver User-Agent: Mozilla Thunderbird 1.0 - [MOOX M2] (Windows/20041208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ted Mittelstaedt References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: bsd Subject: Re: PAWS security vulnerability X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2005 20:31:20 -0000 Ted, thanks for taking a look at this. I'm not sure I have the ability to test out your patch. Maybe someone else on this fine list can ? But this sounds like a pretty severe DOS issue that seems to be relatively simple to implement. Do you know if the 5.x branch is affected by this as well ? Tim. Ted Mittelstaedt wrote: >Hi Tim, > > Here is a slight mod of the OpenBSD patch for OpenBSD 3.6 that has been >rewritten for FreeBSD 4.11. YMMV If it works I would submit it to the >FreeBSD >security list. The only change I made is OpenBSD defines "tiflags" >FreeBSD defines >"thflags" I assume they are the same thing. The file is in >/usr/src/sys/netinet > >Turning off the timestamps would be a good way to make your network go >slow. > >*** tcp_input.c.original Thu May 19 11:52:30 2005 >--- tcp_input.c Thu May 19 12:00:14 2005 >*************** >*** 976,984 **** >--- 976,992 ---- > * record the timestamp. > * NOTE that the test is modified according to the latest > * proposal of the tcplw@cray.com list (Braden >1993/04/26). >+ * NOTE2 additional check added as a result of PAWS >vulnerability >+ * documented in Cisco security notice >cisco-sn-20050518-tcpts >+ * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch > */ > if ((to.to_flags & TOF_TS) != 0 && > SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { >+ if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen >+ >+ ((thflags & (TH_SYN|TH_FIN)) != 0))) >+ tp->ts_recent = to.to_tsval; >+ else >+ tp->ts_recent = 0; > tp->ts_recent_age = ticks; > tp->ts_recent = to.to_tsval; > } > >Ted > > > >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Traver >>Sent: Thursday, May 19, 2005 10:09 AM >>To: bsd >>Subject: PAWS security vulnerability >> >> >>Hi all, >> >>ok, this article was just published about a PAWS TCP DOS >>vulnerability, >>and lists freeBSD 4.x as affected. >> >>http://www.securityfocus.com/bid/13676/info/ >> >>Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ? >> >>and is 5.4 affected too ? >> >>Tim. >> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org" >> >> >> > > >