netfilter: Mark SYN/ACK packets as invalid from original direction

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Jozsef Kadlecsik and committed by

Pablo Neira Ayuso 13 years ago 64f509ce 0626af31

+8 -11

1 changed file

expand all

net

netfilter

nf_conntrack_proto_tcp.c

+8 -11

net/netfilter/nf_conntrack_proto_tcp.c

··· 158 158 * sCL -> sSS 159 159 */ 160 160 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 161 - /*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, 161 + /*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR }, 162 162 /* 163 163 * sNO -> sIV Too late and no reason to do anything 164 164 * sSS -> sIV Client can't send SYN and then SYN/ACK 165 165 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open 166 - * sSR -> sIG 167 - * sES -> sIG Error: SYNs in window outside the SYN_SENT state 168 - * are errors. Receiver will reply with RST 169 - * and close the connection. 170 - * Or we are not in sync and hold a dead connection. 171 - * sFW -> sIG 172 - * sCW -> sIG 173 - * sLA -> sIG 174 - * sTW -> sIG 175 - * sCL -> sIG 166 + * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open 167 + * sES -> sIV Invalid SYN/ACK packets sent by the client 168 + * sFW -> sIV 169 + * sCW -> sIV 170 + * sLA -> sIV 171 + * sTW -> sIV 172 + * sCL -> sIV 176 173 */ 177 174 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 178 175 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },