[PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Jiri Bohac <jbohac@suse•cz>
To: Jiri Bohac <jbohac@suse•cz>
Cc: Jakob Lell <jakob@jakoblell•com>,
	netdev@vger•kernel.org, davem@davemloft•net
Subject: [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks
Date: Fri, 16 Aug 2013 02:05:23 +0200	[thread overview]
Message-ID: <20130816000523.GC11950@midget.suse.cz> (raw)
In-Reply-To: <20130815235743.GA25665@midget.suse.cz>

Jakob Lell discovered that the sequence number that needs to be guessed to
successfully spoof a TCP connection with syncookies only has 27 bits of
entropy. Of the 32 bits, 3 are wasted by the 8 differrent RSS values. [1]

This patch decreases the number of possible MSS values from 8 to 3,
making the spoofing attack 8/3 times more difficult.

Rationale for the new values
- most packets are (1500 - headers); (1450 - headers) is not a huge waste and
  prevents fallback to much lower values
- clients will rarely send MSS below 536, so that's a safe fallback
- we need to keep the minimum (64)

[1]: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/

Signed-off-by: Jiri Bohac <jbohac@suse•cz>
---
 net/ipv4/syncookies.c | 9 ++-------
 net/ipv6/syncookies.c | 9 ++-------
 2 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index af0692f..0504bbe 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -148,15 +148,10 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,
 int sysctl_tcp4_syncookies_mss[TCP_SYNCOOKIES_MSS_COUNT_MAX] = {
 	64,
 	512,
-	536,
-	1024,
-	1440,
-	1460,
-	4312,
-	8960,
+	1450 - 40,
 	/* update sysctl_tcp4_syncookies_mss_count accordingly */
 };
-int sysctl_tcp4_syncookies_mss_count = 8;
+int sysctl_tcp4_syncookies_mss_count = 3;
 
 /*
  * This value is the age (in seconds) of syncookies which will always be
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 4268448..ccdb880 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -28,15 +28,10 @@
 int sysctl_tcp6_syncookies_mss[TCP_SYNCOOKIES_MSS_COUNT_MAX] = {
 	64,
 	512,
-	536,
-	1280 - 60,
-	1480 - 60,
-	1500 - 60,
-	4460 - 60,
-	9000 - 60,
+	1450 - 60,
 	/* update sysctl_tcp6_syncookies_mss_count accordingly */
 };
-int sysctl_tcp6_syncookies_mss_count = 8;
+int sysctl_tcp6_syncookies_mss_count = 3;
 
 /*
  * This value is the age (in seconds) of syncookies which will always be

-- 
Jiri Bohac <jbohac@suse•cz>
SUSE Labs, SUSE CZ

next prev parent reply	other threads:[~2013-08-16  0:05 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-13 13:57 Quick Blind TCP Connection Spoofing with SYN Cookies Jakob Lell
2013-08-14 21:02 ` some one
2013-08-15 23:57 ` Jiri Bohac
2013-08-16  0:00   ` [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate spoofing attacks Jiri Bohac
2013-08-16  0:34     ` Neal Cardwell
2013-08-16  8:20       ` [PATCH v2 " Jiri Bohac
2013-08-16 21:47     ` [PATCH " Florian Westphal
2013-08-16  0:03   ` [PATCH 2/3] [RFC] TCP syncookies: introduce sysctl to configure the MSS tables Jiri Bohac
2013-08-16 21:40     ` Florian Westphal
2013-08-27 12:55       ` Jiri Bohac
2013-08-16  0:05   ` Jiri Bohac [this message]
2013-08-16 21:31     ` [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks Florian Westphal
2013-08-27 13:52       ` Jiri Bohac
2013-08-16  9:21   ` Quick Blind TCP Connection Spoofing with SYN Cookies Florian Westphal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:af0692f dfblob:0504bbe dfblob:4268448 dfblob:ccdb880 )
 OR (
bs:"[PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130816000523.GC11950@midget.suse.cz \
    --to=jbohac@suse$(echo .)cz \
    --cc=davem@davemloft$(echo .)net \
    --cc=jakob@jakoblell$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox