FreeBSD src
3220a2121c
towards blind SYN/RST spoofed attack. Originally our stack used in-window checks for incoming SYN/RST as proposed by RFC793. Later, circa 2003 the RST attack was mitigated using the technique described in P. Watson "Slipping in the window" paper [1]. After that, the checks were only relaxed for the sake of compatibility with some buggy TCP stacks. First, r192912 introduced the vulnerability, just fixed by aforementioned SA. Second, r167310 had slightly relaxed the default RST checks, instead of utilizing net.inet.tcp.insecure_rst sysctl. In 2010 a new technique for mitigation of these attacks was proposed in RFC5961 [2]. The idea is to send a "challenge ACK" packet to the peer, to verify that packet arrived isn't spoofed. If peer receives challenge ACK it should regenerate its RST or SYN with correct sequence number. This should not only protect against attacks, but also improve communication with broken stacks, so authors of reverted r167310 and r192912 won't be disappointed. [1] http://bandwidthco.com/whitepapers/netforensics/tcpip/TCP Reset Attacks.pdf [2] http://www.rfc-editor.org/rfc/rfc5961.txt Changes made: o Revert r167310. o Implement "challenge ACK" protection as specificed in RFC5961 against RST attack. On by default. - Carefully preserve r138098, which handles empty window edge case, not described by the RFC. - Update net.inet.tcp.insecure_rst description. o Implement "challenge ACK" protection as specificed in RFC5961 against SYN attack. On by default. - Provide net.inet.tcp.insecure_syn sysctl, to turn off RFC5961 protection. The changes were tested at Netflix. The tested box didn't show any anomalies compared to control box, except slightly increased number of TCP connection in LAST_ACK state. Reviewed by: rrs Sponsored by: Netflix Sponsored by: Nginx, Inc. |
||
|---|---|---|
| bin | ||
| cddl | ||
| contrib | ||
| crypto | ||
| etc | ||
| games | ||
| gnu | ||
| include | ||
| kerberos5 | ||
| lib | ||
| libexec | ||
| release | ||
| rescue | ||
| sbin | ||
| secure | ||
| share | ||
| sys | ||
| tests | ||
| tools | ||
| usr.bin | ||
| usr.sbin | ||
| .arcconfig | ||
| .arclint | ||
| COPYRIGHT | ||
| LOCKS | ||
| MAINTAINERS | ||
| Makefile | ||
| Makefile.inc1 | ||
| ObsoleteFiles.inc | ||
| README | ||
| UPDATING | ||
This is the top level of the FreeBSD source directory. This file was last revised on: $FreeBSD$ For copyright information, please see the file COPYRIGHT in this directory (additional copyright information also exists for some sources in this tree - please see the specific source directories for more information). The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree, the most commonly used one being ``world'', which rebuilds and installs everything in the FreeBSD system from the source tree except the kernel, the kernel-modules and the contents of /etc. The ``world'' target should only be used in cases where the source tree has not changed from the currently running version. See: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html for more information, including setting make(1) variables. The ``buildkernel'' and ``installkernel'' targets build and install the kernel and the modules (see below). Please see the top of the Makefile in this directory for more information on the standard build targets and compile-time flags. Building a kernel is a somewhat more involved process, documentation for which can be found at: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html And in the config(8) man page. Note: If you want to build and install the kernel with the ``buildkernel'' and ``installkernel'' targets, you might need to build world before. More information is available in the handbook. The sample kernel configuration files reside in the sys/<arch>/conf sub-directory (assuming that you've installed the kernel sources), the file named GENERIC being the one used to build your initial installation kernel. The file NOTES contains entries and documentation for all possible devices, not just those commonly used. It is the successor of the ancient LINT file, but in contrast to LINT, it is not buildable as a kernel but a pure reference and documentation file. Source Roadmap: --------------- bin System/user commands. cddl Various commands and libraries under the Common Development and Distribution License. contrib Packages contributed by 3rd parties. crypto Cryptography stuff (see crypto/README). etc Template files for /etc. games Amusements. gnu Various commands and libraries under the GNU Public License. Please see gnu/COPYING* for more information. include System include files. kerberos5 Kerberos5 (Heimdal) package. lib System libraries. libexec System daemons. release Release building Makefile & associated tools. rescue Build system for statically linked /rescue utilities. sbin System commands. secure Cryptographic libraries and commands. share Shared resources. sys Kernel sources. tools Utilities for regression testing and miscellaneous tasks. usr.bin User commands. usr.sbin System administration commands. For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html