Re: [PATCH] tcp: sysctl to disable TCP simultaneous connect

[Kees Cook]

On Thu, Feb 7, 2013 at 10:39 AM, Stephen Hemminger
<stephen@xxxxxxxxxxxxxxxxxx> wrote:
> On Thu, 7 Feb 2013 09:52:40 -0800
> Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
>> This is based on Willy Tarreau's patch from 2008[1]. The goal is to
>> close a corner-case of TCP that isn't used and poses a small DoS risk.
>> For systems that do not want to take any risk at all, this is a desirable
>> configuration knob.
>>
>> It is possible for two clients to connect with crossed SYNs without
>> checking sequence numbers. As such, it might be possible to guess a source
>> port number to block a system from making connections to well-known
>> ports and IP addresses (e.g. auto-update checks) without requiring a
>> MiTM position.
>>
>
> This patch probably also breaks TCP STUNT that is used by some applications for NAT
> traversal.

The patch would not break it -- it defaults the sysctl to staying enabled.

If you mean the documentation should be updated, sure, that's easy to do.

David: I know you aren't a fan of this patch, but I'd like to try to
convince you. :) This leaves the feature enabled and add a toggle for
systems (like Chrome OS) that don't want to risk this DoS at all.
There are so very many other toggle, I don't see why this one would be
a problem to add.

-Kees

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/