Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Apr 2004 22:34:51 -0500 (CDT)
From:      Mike Silbersack <silby@silby.com>
To:        freebsd-security@freebsd.org
Subject:   Proposed RST patch
Message-ID:  <20040423222922.F1915@odysseus.silby.com>

next in thread | raw e-mail | index | archive | help
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-961716412-1082777691=:1915
Content-Type: TEXT/PLAIN; charset=US-ASCII


Here's my proposed patch to change RST handling so that ESTABLISHED
connections are subject to strict RST checking, but connections in other
states are only subject to the "within the window" check.  Part 2 of the
patch is simply a patch to netstat so that it displays the statistic.

As expected, it's very straightforward, the only real question is what to
call the statistic... "Ignored RSTs in the window" isn't the best
description.

FWIW, I've been testing with the exploit code
(reset-tcp-rfc31337-compliant.c from osvdb-4030-exploit.zip), and this
change does indeed defeat the attack.  It took me a while to get the code
working, they really munged up the libnet calls, but I guess that was the
intent.

Mike "Silby" Silbersack
--0-961716412-1082777691=:1915
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bad_reset.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <20040423223451.T1915@odysseus.silby.com>
Content-Description: 
Content-Disposition: attachment; filename="bad_reset.patch"

ZGlmZiAtdSAtciAvdXNyL3NyYy9zeXMub2xkL25ldGluZXQvdGNwX2lucHV0
LmMgL3Vzci9zcmMvc3lzL25ldGluZXQvdGNwX2lucHV0LmMNCi0tLSAvdXNy
L3NyYy9zeXMub2xkL25ldGluZXQvdGNwX2lucHV0LmMJVGh1IEFwciAyMiAw
MToxNToxNSAyMDA0DQorKysgL3Vzci9zcmMvc3lzL25ldGluZXQvdGNwX2lu
cHV0LmMJRnJpIEFwciAyMyAyMjoxMzoxOCAyMDA0DQpAQCAtMTU3MCw2ICsx
NTcwLDEwIEBADQogCQkJCWdvdG8gY2xvc2U7DQogDQogCQkJY2FzZSBUQ1BT
X0VTVEFCTElTSEVEOg0KKwkJCQlpZiAodHAtPmxhc3RfYWNrX3NlbnQgIT0g
dGgtPnRoX3NlcSkgew0KKwkJCQkJdGNwc3RhdC50Y3BzX2JhZHJzdCsrOw0K
KwkJCQkJZ290byBkcm9wOw0KKwkJCQl9DQogCQkJY2FzZSBUQ1BTX0ZJTl9X
QUlUXzE6DQogCQkJY2FzZSBUQ1BTX0ZJTl9XQUlUXzI6DQogCQkJY2FzZSBU
Q1BTX0NMT1NFX1dBSVQ6DQpkaWZmIC11IC1yIC91c3Ivc3JjL3N5cy5vbGQv
bmV0aW5ldC90Y3BfdmFyLmggL3Vzci9zcmMvc3lzL25ldGluZXQvdGNwX3Zh
ci5oDQotLS0gL3Vzci9zcmMvc3lzLm9sZC9uZXRpbmV0L3RjcF92YXIuaAlU
aHUgQXByIDIyIDAxOjE1OjE2IDIwMDQNCisrKyAvdXNyL3NyYy9zeXMvbmV0
aW5ldC90Y3BfdmFyLmgJRnJpIEFwciAyMyAyMjoxMjo0OSAyMDA0DQpAQCAt
NDE0LDYgKzQxNCw3IEBADQogCXVfbG9uZwl0Y3BzX2JhZHN5bjsJCS8qIGJv
Z3VzIFNZTiwgZS5nLiBwcmVtYXR1cmUgQUNLICovDQogCXVfbG9uZwl0Y3Bz
X210dXJlc2VudDsJCS8qIHJlc2VuZHMgZHVlIHRvIE1UVSBkaXNjb3Zlcnkg
Ki8NCiAJdV9sb25nCXRjcHNfbGlzdGVuZHJvcDsJLyogbGlzdGVuIHF1ZXVl
IG92ZXJmbG93cyAqLw0KKwl1X2xvbmcJdGNwc19iYWRyc3Q7CQkvKiBpZ25v
cmVkIFJTVHMgaW4gdGhlIHdpbmRvdyAqLw0KIA0KIAl1X2xvbmcJdGNwc19z
Y19hZGRlZDsJCS8qIGVudHJ5IGFkZGVkIHRvIHN5bmNhY2hlICovDQogCXVf
bG9uZwl0Y3BzX3NjX3JldHJhbnNtaXR0ZWQ7CS8qIHN5bmNhY2hlIGVudHJ5
IHdhcyByZXRyYW5zbWl0dGVkICovDQo=

--0-961716412-1082777691=:1915
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bad_reset-part2.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <20040423223451.F1915@odysseus.silby.com>
Content-Description: 
Content-Disposition: attachment; filename="bad_reset-part2.patch"

LS0tIC91c3Ivc3JjL3Vzci5iaW4vbmV0c3RhdC9pbmV0LmMub2xkCUZyaSBB
cHIgMjMgMjI6MTk6NDMgMjAwNA0KKysrIC91c3Ivc3JjL3Vzci5iaW4vbmV0
c3RhdC9pbmV0LmMJRnJpIEFwciAyMyAyMjoyMTowOSAyMDA0DQpAQCAtNDE1
LDYgKzQxNSw3IEBADQogCXAodGNwc19hY2NlcHRzLCAiXHQlbHUgY29ubmVj
dGlvbiBhY2NlcHQlc1xuIik7DQogCXAodGNwc19iYWRzeW4sICJcdCVsdSBi
YWQgY29ubmVjdGlvbiBhdHRlbXB0JXNcbiIpOw0KIAlwKHRjcHNfbGlzdGVu
ZHJvcCwgIlx0JWx1IGxpc3RlbiBxdWV1ZSBvdmVyZmxvdyVzXG4iKTsNCisJ
cCh0Y3BzX2JhZHJzdCwgIlx0JWx1IElnbm9yZWQgUlNUcyBpbiB0aGUgd2lu
ZG93JXNcbiIpOw0KIAlwKHRjcHNfY29ubmVjdHMsICJcdCVsdSBjb25uZWN0
aW9uJXMgZXN0YWJsaXNoZWQgKGluY2x1ZGluZyBhY2NlcHRzKVxuIik7DQog
CXAyKHRjcHNfY2xvc2VkLCB0Y3BzX2Ryb3BzLA0KIAkJIlx0JWx1IGNvbm5l
Y3Rpb24lcyBjbG9zZWQgKGluY2x1ZGluZyAlbHUgZHJvcCVzKVxuIik7DQo=

--0-961716412-1082777691=:1915--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423222922.F1915>