FreeBSD Security Advisory FreeBSD-SA-14:19.tcp
Tadaaki Nagao
nagao at iij.ad.jp
Tue Sep 16 16:14:55 UTC 2014
Hi,
In "Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp",
Xin Li <delphij at delphij.net> wrote:
> > On 16/09/14 11:14, FreeBSD Security Advisories wrote:
> >> An attacker who has the ability to spoof IP traffic can tear down
> >> a TCP connection by sending only 2 packets, if they know both TCP
> >> port numbers.
> >
> > This may be a silly question but, if the attacker can spoof IP
> > traffic, can't the same be done with a single RST packet?
>
> By default RST has to be within the window if the connection is in
> ESTABLISHED state. So in order to do that the attacker still need to
> guess or know the sequence number.
No, in the case of RST packets, the check in tcp_input.c is much
narrower than the receiving window size.
Actually, it was the discussion in 2004 that the usual window size had
become large enough (64k or more?) for an attacker to easily guess the
sequence number by sending a feasible number of packets (2^32 /
window_size (<= 2^16)).
And this is also the case for SYN packets. I suspect that, even with the
patch in FreeBSD-SA-14:19.tcp applied, an attacker can still reset a
connection by sending the above mentioned number of SYN packets,
guessing a in-window sequence number.
See RFC5961, which discusses attack scenarios including these and
changes to the TCP specification.
--
Tadaaki Nagao <nagao at iij.ad.jp>
Internet Initiative Japan Inc.
More information about the freebsd-security
mailing list