FreeBSD Security Advisory FreeBSD-SA-14:19.tcp
Lowell Gilbert
freebsd-security-local at be-well.ilk.org
Tue Sep 16 13:27:21 UTC 2014
Mark Felder <feld at FreeBSD.org> writes:
> On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote:
>> Hi,
>>
>> On 16/09/14 11:14, FreeBSD Security Advisories wrote:
>> > An attacker who has the ability to spoof IP traffic can tear down a
>> > TCP connection by sending only 2 packets, if they know both TCP port
>> > numbers.
>>
>> This may be a silly question but, if the attacker can spoof IP traffic,
>> can't the same be done with a single RST packet?
>>
>
> Yes, this is how Sandvine anti-piracy products work. They detect you
> torrenting/P2P and then send an RST spoofed from the other end. You can
> defeat this by dropping RST altogether, which is what many people do.
> It's better if they don't blindly block all RST, and only to the ports
> they use for P2P...
That's not quite the same; that's a full man-in-the-middle attack on the
connection, so all of the connection information is available. The
problem being fixed here allowed an attacker to do that without knowing
the sequence numbers.
> I'm torn on calling this an actual security problem. It's certainly a
> bug -- defeated by a stateful firewall, as detailed in the SA -- but if
> someone can spoof the traffic... you've a problem at a different layer
> :-)
Spoofing traffic is pretty easy. The reason it isn't generally a problem
is that knowing what to spoof is more difficult. [I assume that's what
feld@ actually meant, but it's an important distinction.]
More information about the freebsd-security
mailing list