Re: predictable IP ID

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Miquel van Smoorenburg: "Re: [linux-usb] Re: USB device allocation"
• Previous message: Riley Williams: "Re: [patch] replacing "/dev/root" in /proc/mounts"
• In reply to: Chuck Lever: "Re: [patch] 2.3.18ac10 /proc fixes [Re: [patch] wchan in 2.3.18ac6]"

>> 2. How should we fix the referenced problem with TCP spoofing (if we decide
>> not to create any storage)?
>
>By making the above/below responses the same

Maybe I am overlooking something. See net/ipv4/tcp_input.c of 2.2.13pre14
line 2339:

case TCP_SYN_RECV:
if (acceptable) {
tcp_set_state(sk, TCP_ESTABLISHED);
sk->dport = th->source;
tp->copied_seq = tp->rcv_nxt;

if(!sk->dead)
sk->state_change(sk);

tp->snd_una = TCP_SKB_CB(skb)->ack_seq;
tp->snd_wnd = htons(th->window) << tp->snd_wscale;
tp->snd_wl1 = TCP_SKB_CB(skb)->seq;
tp->snd_wl2 = TCP_SKB_CB(skb)->ack_seq;

} else {
SOCK_DEBUG(sk, "bad ack\n");
return 1;
}

acceptable is set by tcp_ack and tcp_ack returns _zero_ (and not 1 as
2.0.x) if:

if (after(ack, tp->snd_nxt) || before(ack, tp->snd_una))
goto uninteresting_ack;

(snd_una and snd_nxt will both point to the only allowed ack at SYN_RECV
time so basically it's a `if (ack != tp->snd_una) return 0').

So reading the code it seems to me that the reply using below-sequence
numbers will be the same RST packet you'll get using above-sequence
numbers. rfc793 also agrees with the current code:

fifth check the ACK field,

if the ACK bit is off drop the segment and return

if the ACK bit is on

SYN-RECEIVED STATE

If SND.UNA =< SEG.ACK =< SND.NXT then enter ESTABLISHED state
and continue processing.

If the segment acknowledgment is not acceptable, form a
reset segment,

<SEQ=SEG.ACK><CTL=RST>

and send it.

At that time SND.UNA == SND.NXT so the ACK must match or a RST packet
must be sent.

So I can't see what you mean with "above/below responses the same" as they
just seems to be the same to me (in 2.2.13pre14 at least). So basically it
seems not possible to me to blind TCP spoof the 2.2.13pre14 TCP stack with
the IP-ID-scan trick explained in the email to bugtraq (the one pointed
out by Savochkin in this thread).

If there is another way to blind TCP spoof exploting the global IP-id++,
then such new way is not explained nor in bugtraq and nor in l-k.

Hints? 8)

Andrea

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Miquel van Smoorenburg: "Re: [linux-usb] Re: USB device allocation"
• Previous message: Riley Williams: "Re: [patch] replacing "/dev/root" in /proc/mounts"
• In reply to: Chuck Lever: "Re: [patch] 2.3.18ac10 /proc fixes [Re: [patch] wchan in 2.3.18ac6]"