Re: [PATCH] netfilter: conntrack: tcp: do not lower timeout to CLOSE for in-window RSTs

[yyxRoy]

On Mon, 8 Jul 2024 at 22:12, Florian Westphal <fw@xxxxxxxxx> wrote:
> We can track TTL/NH.
> We can track TCP timestamps.
> 
> But how would we use such extra information?
> E.g. what I we observe:
> 
> ACK, TTL 32
> ACK, TTL 31
> ACK, TTL 30
> ACK, TTL 29
> 
> ... will we just refuse to update TTL?
> If we reduce it, any attacker can shrink it to needed low value
> to prevent later RST from reaching end host.
> 
> If we don't, connection could get stuck on legit route change?
> What about malicious entities injecting FIN/SYN packets rather than RST?
> 
> If we have last ts.echo from remote side, we can make it harder, but
> what do if RST doesn't carry timestamp?
> 
> Could be perfectly legal when machine lost state, e.g. power-cycled.
> So we can't ignore such RSTs.

I fully agree with your considerations. There are indeed some challenges with the proposed methods of enhancing checks on RSTs of in-window sequence numbers, TTL, and timestamps.

However, we now have known that conntrack may be vulnerable to attacks and illegal state transitions when it receives in-window RSTs with incorrect TTL or data packets + RSTs. Is it possible to find better methods to mitigate these issues, as they may pose threats to Netfilter users?

Note: We have also tested other connection tracking frameworks (such as FreeBSD/OpenBSD PF). Also playing the roles as middleboxes, they only change the state of the connection when they receive an RST with the currently known precise sequence number, thus avoiding these attacks. Could Netfilter adopt similar measures or else to further mitigate these issues?

Thank you again for your time and for your efforts in maintaining the community's performance and security!