Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 64f509ce authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by Pablo Neira Ayuso
Browse files

netfilter: Mark SYN/ACK packets as invalid from original direction 

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074



Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0626af31

net/netfilter/nf_conntrack_proto_tcp.c

+8 −11
Original line number Diff line number Diff line
@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { 
 *	sCL -> sSS

 */

/* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/

/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },

/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },

/*

 *	sNO -> sIV	Too late and no reason to do anything

 *	sSS -> sIV	Client can't send SYN and then SYN/ACK

 *	sS2 -> sSR	SYN/ACK sent to SYN2 in simultaneous open

 *	sSR -> sIG

 *	sES -> sIG	Error: SYNs in window outside the SYN_SENT state

 *			are errors. Receiver will reply with RST

 *			and close the connection.

 *			Or we are not in sync and hold a dead connection.

 *	sFW -> sIG

 *	sCW -> sIG

 *	sLA -> sIG

 *	sTW -> sIG

 *	sCL -> sIG

 *	sSR -> sSR	Late retransmitted SYN/ACK in simultaneous open

 *	sES -> sIV	Invalid SYN/ACK packets sent by the client

 *	sFW -> sIV

 *	sCW -> sIV

 *	sLA -> sIV

 *	sTW -> sIV

 *	sCL -> sIV

 */

/* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/

/*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },