From: Jiri Bohac <jbohac@suse•cz>
To: Jakob Lell <jakob@jakoblell•com>
Cc: netdev@vger•kernel.org, davem@davemloft•net
Subject: Re: Quick Blind TCP Connection Spoofing with SYN Cookies
Date: Fri, 16 Aug 2013 01:57:43 +0200 [thread overview]
Message-ID: <20130815235743.GA25665@midget.suse.cz> (raw)
In-Reply-To: <520A3B4A.1050704@jakoblell.com>
On Tue, Aug 13, 2013 at 03:57:30PM +0200, Jakob Lell wrote:
> VIII. Possible mitigation options
>
> The simplification of TCP Connection Spoofing described here is an
> inherent problem of TCP SYN Cookies and so there won't be a simple
> patch which just solves the issue and makes the Spoofing Attack as
> hard as it is without SYN Cookies. It is only possible to gradually
> increase the required effort for successfully spoofing a connection
> e.g. by only accepting the last two instead of four counter values
> (which will lead to a 60-120s
If the counter is slowed down 4 times, accepting only two
values should result in similar behaviour as we have today.
Can anyone think of a reason this should not be done?
Additionally, I believe we should reduce the number of possible MSS
values. I think 3 values should be enough - not supporting jumbo
frames and wasting a few bytes on sub-optimal MSS around 1400
bytes should be acceptable when a system is under a DoS attack.
I have 3 patches doing just that:
1 - slow down the timer and improve the situation by a factor of 2
2 - since not everyone will be happy with exactly 3 MSS values,
let's make this configurable via sysctl
3 - decrease the default number of MSS values to 3 and improve
the situation by a factor of 8/3
These patches combined make the attack 5.3 times harder. By
using the sysctl to only set two possible MSSs, one can make
the attack 8 times harder - and only 4 times easier than
previously believed.
The patches are compile-tested only.
Thoughts?
--
Jiri Bohac <jbohac@suse•cz>
SUSE Labs, SUSE CZ
next prev parent reply other threads:[~2013-08-15 23:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-13 13:57 Quick Blind TCP Connection Spoofing with SYN Cookies Jakob Lell
2013-08-14 21:02 ` some one
2013-08-15 23:57 ` Jiri Bohac [this message]
2013-08-16 0:00 ` [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate spoofing attacks Jiri Bohac
2013-08-16 0:34 ` Neal Cardwell
2013-08-16 8:20 ` [PATCH v2 " Jiri Bohac
2013-08-16 21:47 ` [PATCH " Florian Westphal
2013-08-16 0:03 ` [PATCH 2/3] [RFC] TCP syncookies: introduce sysctl to configure the MSS tables Jiri Bohac
2013-08-16 21:40 ` Florian Westphal
2013-08-27 12:55 ` Jiri Bohac
2013-08-16 0:05 ` [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks Jiri Bohac
2013-08-16 21:31 ` Florian Westphal
2013-08-27 13:52 ` Jiri Bohac
2013-08-16 9:21 ` Quick Blind TCP Connection Spoofing with SYN Cookies Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130815235743.GA25665@midget.suse.cz \
--to=jbohac@suse$(echo .)cz \
--cc=davem@davemloft$(echo .)net \
--cc=jakob@jakoblell$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox