Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)
From: Willy Tarreau
Date: Mon Jun 13 2005 - 00:23:27 EST
On Mon, Jun 13, 2005 at 02:48:10PM +1000, Herbert Xu wrote:
> On Sun, Jun 12, 2005 at 04:24:01PM +0200, Willy Tarreau wrote:
> >
> > 1) no firewall in front of A
> > - C spoofs A and sends a fake SYN to B
> > - B responds to A with a SYN-ACK
> > - A sends an RST to B, which clears the session
> > - A wants to connect and sends its SYN to B which accepts it.
>
> Well the attacker simply has to keep sending the same SYN packet
> over and over again until A runs out of SYN retries.
>
> What I really don't like about your patch is the fact that it is
> trying to impose a policy decision (that of forbidding all
> simultaneous connection initiations) inside the TCP stack.
It's the same for ECN or SYN cookies.
> A much better place to do that is netfilter. If you do it there
> then not only will your protect all Linux machines from this attack,
> but you'll also protect all the other BSD-derived TCP stacks.
Netfilter already blocks simultaneous connection. A SYN in return to
a SYN produces an INVALID state.
Cheers,
Willy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/