Commit 64f509ce authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by Pablo Neira Ayuso

netfilter: Mark SYN/ACK packets as invalid from original direction

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0626af31
...@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { ...@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
* sCL -> sSS * sCL -> sSS
*/ */
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, /*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
/* /*
* sNO -> sIV Too late and no reason to do anything * sNO -> sIV Too late and no reason to do anything
* sSS -> sIV Client can't send SYN and then SYN/ACK * sSS -> sIV Client can't send SYN and then SYN/ACK
* sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
* sSR -> sIG * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
* sES -> sIG Error: SYNs in window outside the SYN_SENT state * sES -> sIV Invalid SYN/ACK packets sent by the client
* are errors. Receiver will reply with RST * sFW -> sIV
* and close the connection. * sCW -> sIV
* Or we are not in sync and hold a dead connection. * sLA -> sIV
* sFW -> sIG * sTW -> sIV
* sCW -> sIG * sCL -> sIV
* sLA -> sIG
* sTW -> sIG
* sCL -> sIG
*/ */
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment