d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3220a2121c
freebsd-dev/sys/netinet
History
Gleb Smirnoff 3220a2121c FreeBSD-SA-14:19.tcp raised attention to the state of our stack 
towards blind SYN/RST spoofed attack.

Originally our stack used in-window checks for incoming SYN/RST
as proposed by RFC793. Later, circa 2003 the RST attack was
mitigated using the technique described in P. Watson
"Slipping in the window" paper [1].

After that, the checks were only relaxed for the sake of
compatibility with some buggy TCP stacks. First, r192912
introduced the vulnerability, just fixed by aforementioned SA.
Second, r167310 had slightly relaxed the default RST checks,
instead of utilizing net.inet.tcp.insecure_rst sysctl.

In 2010 a new technique for mitigation of these attacks was
proposed in RFC5961 [2]. The idea is to send a "challenge ACK"
packet to the peer, to verify that packet arrived isn't spoofed.
If peer receives challenge ACK it should regenerate its RST or
SYN with correct sequence number. This should not only protect
against attacks, but also improve communication with broken
stacks, so authors of reverted r167310 and r192912 won't be
disappointed.

[1] http://bandwidthco.com/whitepapers/netforensics/tcpip/TCP Reset Attacks.pdf
[2] http://www.rfc-editor.org/rfc/rfc5961.txt

Changes made:

o Revert r167310.
o Implement "challenge ACK" protection as specificed in RFC5961
  against RST attack. On by default.
  - Carefully preserve r138098, which handles empty window edge
    case, not described by the RFC.
  - Update net.inet.tcp.insecure_rst description.
o Implement "challenge ACK" protection as specificed in RFC5961
  against SYN attack. On by default.
  - Provide net.inet.tcp.insecure_syn sysctl, to turn off
    RFC5961 protection.

The changes were tested at Netflix. The tested box didn't show
any anomalies compared to control box, except slightly increased
number of TCP connection in LAST_ACK state.

Reviewed by:	rrs
Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2014-09-16 11:07:25 +00:00
..
cc Destroy the "qdiffsample_zone" UMA zone on unload to avoid a use-after-unload 2014-08-19 02:19:53 +00:00
khelp
libalias It'll be okay to use LibAliasDetachHandlers() here, relying 2013-12-25 09:43:51 +00:00
accf_data.c
accf_dns.c
accf_http.c
cc.h
icmp6.h Migrate structs in6_ifstat and icmp6_ifstat to PCPU counters. 2013-07-09 09:59:46 +00:00
icmp_var.h Remove more constants related to static sysctl nodes. The MAXID constants 2014-02-25 18:44:33 +00:00
if_atm.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
if_atm.h Add const qualifier to the dst parameter of the ifnet if_output method. 2013-04-26 12:50:32 +00:00
if_ether.c Use macros instead of referencing struct if_data that resides in ifnet. 2014-08-31 06:30:50 +00:00
if_ether.h Add const qualifier to the dst parameter of the ifnet if_output method. 2013-04-26 12:50:32 +00:00
igmp_var.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
igmp.c Fix one more compiler warning, m is not initialized. 2014-08-08 15:50:02 +00:00
igmp.h
in_cksum.c
in_debug.c
in_gif.c Change pr_output's prototype to avoid the need for explicit casts. 2014-08-15 02:43:02 +00:00
in_gif.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
in_kdtrace.c dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE 2013-11-26 08:46:27 +00:00
in_kdtrace.h dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE 2013-11-26 08:46:27 +00:00
in_mcast.c Pull in r267961 and r267973 again. Fix for issues reported will follow. 2014-06-28 03:56:17 +00:00
in_pcb.c Revisions 264905 and 266860 added a "int fib" argument to ifa_ifwithnet and 2014-09-11 20:21:03 +00:00
in_pcb.h Add scope zone id to the in_endpoints and hc_metrics structures. 2014-09-10 16:26:18 +00:00
in_pcbgroup.c Introduce INP6_PCBHASHKEY macro. Replace usage of hardcoded part of 2014-09-10 12:35:42 +00:00
in_proto.c The accept filter code is not specific to the FreeBSD IPv4 network stack, 2014-07-26 19:27:34 +00:00
in_rmx.c Fix panic on IPv4 address removal introduced in r265279. 2014-05-03 20:22:13 +00:00
in_rss.c Ensure the correct software IPv4 hash is done based on the configured 2014-09-16 03:26:42 +00:00
in_rss.h Implement IPv4 RSS software hash functions to use during packet ingress 2014-09-09 03:10:21 +00:00
in_systm.h
in_var.h Update the IPv4 input path to handle reassembled frames and incoming frames 2014-09-09 04:18:20 +00:00
in.c Restore historical behavior of in_control, which, when no matching address 2014-08-22 19:08:12 +00:00
in.h Add support for receiving and setting flowtype, flowid and RSS bucket 2014-09-09 01:45:39 +00:00
ip6.h Use IP6STAT_INC/IP6STAT_DEC macros to update ip6 stats. 2013-04-09 07:11:22 +00:00
ip_carp.c Change pr_output's prototype to avoid the need for explicit casts. 2014-08-15 02:43:02 +00:00
ip_carp.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_divert.c Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_divert.h
ip_dummynet.h ECN marking implenetation for dummynet. 2014-06-01 07:28:24 +00:00
ip_ecn.c
ip_ecn.h
ip_encap.c Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_encap.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_fastfwd.c Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and 2014-09-15 07:20:40 +00:00
ip_fw.h Fix wrong formatting of 0.0.0.0/X table records in ipfw(8). 2014-05-17 13:45:03 +00:00
ip_gre.c Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_gre.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_icmp.c Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_icmp.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_id.c Back out r249318, r249320 and r249327 due to a heisenbug most 2013-05-06 16:42:18 +00:00
ip_input.c Update the IPv4 input path to handle reassembled frames and incoming frames 2014-09-09 04:18:20 +00:00
ip_ipsec.c - Remove rt_metrics_lite and simply put its members into rtentry. 2014-03-05 01:17:47 +00:00
ip_ipsec.h
ip_mroute.c Change pr_output's prototype to avoid the need for explicit casts. 2014-08-15 02:43:02 +00:00
ip_mroute.h Migrate structs arpstat, icmpstat, mrtstat, pimstat and udpstat to PCPU 2013-07-09 09:50:15 +00:00
ip_options.c Use generic SYSCTL_* macro instead of deprecated SYSCTL_VNET_*. 2014-09-15 14:43:58 +00:00
ip_options.h Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and 2014-09-15 07:20:40 +00:00
ip_output.c Revisions 264905 and 266860 added a "int fib" argument to ifa_ifwithnet and 2014-09-11 20:21:03 +00:00
ip_var.h Add a flag to ip_output() - IP_NODEFAULTFLOWID - which prevents it from 2014-09-09 00:19:02 +00:00
ip.h
pim_var.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
pim.h
raw_ip.c Make SOCK_RAW sockets to be truly raw, not modifying received and sent 2014-09-01 14:04:51 +00:00
sctp_asconf.c Address another warnings reported by Patrick Laimbock when compiling 2014-09-07 17:07:19 +00:00
sctp_asconf.h
sctp_auth.c Add support for the SCTP_AUTH_SUPPORTED and SCTP_ASCONF_SUPPORTED 2014-08-12 11:30:16 +00:00
sctp_auth.h Add support for the SCTP_AUTH_SUPPORTED and SCTP_ASCONF_SUPPORTED 2014-08-12 11:30:16 +00:00
sctp_bsd_addr.c In 2013-11-30 12:51:19 +00:00
sctp_bsd_addr.h
sctp_cc_functions.c
sctp_constants.h Fix the handling of sysctl variables when used with VIMAGE. 2014-09-06 19:12:14 +00:00
sctp_crc32.c
sctp_crc32.h
sctp_dtrace_declare.h - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
sctp_dtrace_define.h dtrace sdt: remove the ugly sname parameter of SDT_PROBE_DEFINE 2013-11-26 08:46:27 +00:00
sctp_header.h Cleanup sctp_send_initiate() and sctp_send_initiate_ack() to be 2014-08-01 12:42:37 +00:00
sctp_indata.c Add support for the SCTP_PR_SUPPORTED socket option as specified in 2014-08-02 21:36:40 +00:00
sctp_indata.h Code cleanups. 2013-07-03 18:48:43 +00:00
sctp_input.c Address warnings generated by the clang analyzer. 2014-09-07 18:05:37 +00:00
sctp_input.h
sctp_lock_bsd.h
sctp_os_bsd.h The MTU is handled as a 32-bit entity within the SCTP stack. 2014-09-16 09:22:43 +00:00
sctp_os.h
sctp_output.c Make a type conversion explicit. When compiling this code on 2014-09-16 10:57:55 +00:00
sctp_output.h Cleanup the handling of address scopes. Announce in the INIT/INIT-ACK 2013-02-09 17:26:14 +00:00
sctp_pcb.c Address warnings generated by the clang analyzer. 2014-09-07 18:05:37 +00:00
sctp_pcb.h Add support for the SCTP_AUTH_SUPPORTED and SCTP_ASCONF_SUPPORTED 2014-08-12 11:30:16 +00:00
sctp_peeloff.c Add support for the SCTP_AUTH_SUPPORTED and SCTP_ASCONF_SUPPORTED 2014-08-12 11:30:16 +00:00
sctp_peeloff.h Remove unused function. 2012-11-25 14:25:08 +00:00
sctp_ss_functions.c
sctp_structs.h Chunk IDs are 8 bit entities, not 16 bit. 2014-09-15 19:38:34 +00:00
sctp_sysctl.c Use union sctp_sockstore instead of struct sockaddr_storage. This 2014-09-07 09:06:26 +00:00
sctp_sysctl.h Fix the handling of sysctl variables when used with VIMAGE. 2014-09-06 19:12:14 +00:00
sctp_timer.c Add support for the SCTP_PR_SUPPORTED socket option as specified in 2014-08-02 21:36:40 +00:00
sctp_timer.h
sctp_uio.h Add support for the SCTP_PR_STREAM_STATUS and SCTP_PR_ASSOC_STATUS 2014-08-13 15:50:16 +00:00
sctp_usrreq.c Use union sctp_sockstore instead of struct sockaddr_storage. This 2014-09-07 09:06:26 +00:00
sctp_var.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
sctp.h Add support for the SCTP_PR_STREAM_STATUS and SCTP_PR_ASSOC_STATUS 2014-08-13 15:50:16 +00:00
sctputil.c Use union sctp_sockstore instead of struct sockaddr_storage. This 2014-09-07 09:06:26 +00:00
sctputil.h Cleanup sctp_send_initiate() and sctp_send_initiate_ack() to be 2014-08-01 12:42:37 +00:00
siftr.c Include necessary headers that now are available due to pollution 2013-10-28 07:29:16 +00:00
tcp_debug.c Switch the entire IPv4 stack to keep the IP packet header 2012-10-22 21:09:03 +00:00
tcp_debug.h
tcp_fsm.h
tcp_hostcache.c Add scope zone id to the in_endpoints and hc_metrics structures. 2014-09-10 16:26:18 +00:00
tcp_hostcache.h Add scope zone id to the in_endpoints and hc_metrics structures. 2014-09-10 16:26:18 +00:00
tcp_input.c FreeBSD-SA-14:19.tcp raised attention to the state of our stack 2014-09-16 11:07:25 +00:00
tcp_lro.c Merge r254336 from user/np/cxl_tuning. 2013-08-28 23:00:34 +00:00
tcp_lro.h Merge r254336 from user/np/cxl_tuning. 2013-08-28 23:00:34 +00:00
tcp_offload.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
tcp_offload.h
tcp_output.c Revert r271504. A new patch to solve this issue will be made. 2014-09-13 20:52:01 +00:00
tcp_reass.c Satisfy assertion in m_demote(). 2014-09-04 19:28:02 +00:00
tcp_sack.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
tcp_seq.h
tcp_subr.c Fixes for tcp_respond() comment. 2014-09-04 17:05:57 +00:00
tcp_syncache.c In tcp_input(), don't acquire the pcbinfo global write lock for SYN 2014-09-04 19:09:08 +00:00
tcp_syncache.h Introduce spares in the TCP syncache and timewait structures 2013-09-21 10:01:51 +00:00
tcp_timer.c If we're doing RSS then ensure the TCP timer selection uses the multi-CPU 2014-06-30 04:26:29 +00:00
tcp_timer.h Currently, the TCP slow timer can starve TCP input processing while it 2014-04-10 18:15:35 +00:00
tcp_timewait.c Add a comment for easier code understanding. 2014-08-04 19:42:48 +00:00
tcp_usrreq.c Make in6_pcblookup_hash_locked and in6_pcbladdr static. 2014-09-10 13:17:35 +00:00
tcp_var.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
tcp.h Add placeholder constants to reserve a portion of the socket option 2013-02-01 15:32:20 +00:00
tcpip.h
toecore.c Include necessary headers that now are available due to pollution 2013-10-28 07:29:16 +00:00
toecore.h
toeplitz.c Several years after initial development, merge prototype support for 2014-03-15 00:57:50 +00:00
toeplitz.h Several years after initial development, merge prototype support for 2014-03-15 00:57:50 +00:00
udp_usrreq.c Calculate the RSS hash for outbound UDPv4 frames. 2014-09-09 04:19:36 +00:00
udp_var.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
udp.h Add placeholder constants to reserve a portion of the socket option 2013-02-01 15:32:20 +00:00
udplite.h Add support for UDP-Lite protocol (RFC 3828) to IPv4 and IPv6 stacks. 2014-04-07 01:53:03 +00:00