Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 282f23c6 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

tcp: implement RFC 5961 3.2 



Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a858d64b

Documentation/networking/ip-sysctl.txt

+5 −0
Original line number Diff line number Diff line
@@ -565,6 +565,11 @@ tcp_limit_output_bytes - INTEGER 
	reduce the size of individual GSO packet (64KB being the max)

	Default: 131072



tcp_challenge_ack_limit - INTEGER

	Limits number of Challenge ACK sent per second, as recommended

	in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)

	Default: 100



UDP variables:



udp_mem - vector of 3 INTEGERs: min, pressure, max

include/linux/snmp.h

+1 −0
Original line number Diff line number Diff line
@@ -237,6 +237,7 @@ enum 
	LINUX_MIB_TCPOFOQUEUE,			/* TCPOFOQueue */

	LINUX_MIB_TCPOFODROP,			/* TCPOFODrop */

	LINUX_MIB_TCPOFOMERGE,			/* TCPOFOMerge */

	LINUX_MIB_TCPCHALLENGEACK,		/* TCPChallengeACK */

	__LINUX_MIB_MAX

};

include/net/tcp.h

+1 −0
Original line number Diff line number Diff line
@@ -254,6 +254,7 @@ extern int sysctl_tcp_thin_linear_timeouts; 
extern int sysctl_tcp_thin_dupack;

extern int sysctl_tcp_early_retrans;

extern int sysctl_tcp_limit_output_bytes;

extern int sysctl_tcp_challenge_ack_limit;



extern atomic_long_t tcp_memory_allocated;

extern struct percpu_counter tcp_sockets_allocated;

net/ipv4/proc.c

+1 −0
Original line number Diff line number Diff line
@@ -261,6 +261,7 @@ static const struct snmp_mib snmp4_net_list[] = { 
	SNMP_MIB_ITEM("TCPOFOQueue", LINUX_MIB_TCPOFOQUEUE),

	SNMP_MIB_ITEM("TCPOFODrop", LINUX_MIB_TCPOFODROP),

	SNMP_MIB_ITEM("TCPOFOMerge", LINUX_MIB_TCPOFOMERGE),

	SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),

	SNMP_MIB_SENTINEL

};

net/ipv4/sysctl_net_ipv4.c

+7 −0
Original line number Diff line number Diff line
@@ -605,6 +605,13 @@ static struct ctl_table ipv4_table[] = { 
		.mode		= 0644,

		.proc_handler	= proc_dointvec

	},

	{

		.procname	= "tcp_challenge_ack_limit",

		.data		= &sysctl_tcp_challenge_ack_limit,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec

	},

#ifdef CONFIG_NET_DMA

	{

		.procname	= "tcp_dma_copybreak",