Hi David,

I hope you had a pleasant journey in Paris last week. It was nice to meet you.

In 2005, I submitted a patch for 2.6.11 which we finally did not decide
on, it was about the ability to disable TCP simultaneous connection open.

For the last few years, we've been bothered several times by newbies
reading "TCP/IP for dummies" then trying to get a name by discovering
the ultimate vulnerability which will get a lot of press coverage. Of
course those attacks are often pointless or just proofs of concepts
with no application in real life, but it's nonetheless annoying to have
to deal with the issues, especially to explain to customers why they
shouldn't have to worry.

I would not be surprized that a next one will exploit TCP's ability to
perform simultaneous connections between two clients. It's very easy
to trigger, there's no SEQ to guess, just a port, and the effect is
simply a poor DoS on the service trying to connect outside. In other
times we would have found it very minor, but judging by the consideration
given to harder and less effective "attacks" these days, this trivial
one may finally get picked and annoy us again.

As a reminder (especially for those who are not aware of this feature),
it is possible with TCP to connect two clients together if both send
crossed SYNs, then SYN-ACKs, then ACKs. This implies that each side
accepts the sequence number of the other one without any ability to
check that it matches its SYN. So it's trivial for an attacker to
prevent one client from establishing a connection from a known port
to a known address/port by sending it a SYN to that port. The client
will then send a SYN-ACK and will not accept the expected server's
SYN-ACK because the SYN SEQ will be different. The server might also
send an RST on the client's SYN-ACK if it's not firewalled. The
connection will eventually timeout in a SYN-RECV state or simply be
aborted.

The theorical DoS effect on some predictable address/port destinations
is easy to understand. ...
[ message continues ]

[CC+=linux-api@vger.kernel.org]

(As very recently noted in SubmittingPatches)




-- 
Michael Kerrisk Linux man-pages maintainer;
http://www.kernel.org/doc/man-pages/ Found a documentation bug?
http://www.kernel.org/doc/man-pages/reporting_bugs.html
--

[ message continues ]

On Wed, 8 Oct 2008 10:11:09 +0200

Does this break NAT traversal via STUNT used by applications like Skype?
--

[ message continues ]

Hi Stephen,


Not IMHO. I've seen UDP-based protocols used for NAT traversal, since it's
stateless and the firewall is not able to perform much control, but TCP
would not work with most firewalls (starting with netfilter) because the
firewall will not accept a SYN in return to a SYN.

Regards,
Willy

--

[ message continues ]

This will break the main ICE-TCP mechanism (IETF draft-ietf-mmusic-ice-tcp).
I am not aware of any application using this _as_of_now_. Probably too many 
NAT and firewall implementations will reject it already. And then, some TCP 
stacks reportedly do not support it (e.g. Windows before Vista).

On the other hand, if someone were to tunnel/encapsulate TCP over UDP, this 
could actually be useful - think about peer-to-peer NATted-to-NATted file 
transfers for instance.

-- 
Rémi Denis-Courmont
http://www.remlab.net/
--

[ message continues ]

And opening this through firewalls would be too much dangerous as it would
allow servers to reconnect outside, pretty much defeating the initial purpose

This is already possible using netcat. You can force both ports. It has no
flow control but would be enough to chat or transfer small config files.

Willy

--

[ message continues ]

Duh? If you require a SYN from the outside to the server, before you allow the 

Files transfer over UDP? Come on. I won't restart the UDP sendfile discussion.

-- 
Rémi Denis-Courmont
--

[ message continues ]

Requiring the firewall to expect a first SYN to come from the internet is like
doing no check at all. When your server has been rooted, you can pretty much
expect that your guest has no problem sending you a SYN.

Willy

--

[ message continues ]

On ports which are open to the outside you MUST allow inbound SYNs anyway. 
From a security perspective, it does not matter whether the server answers 
with a SYN/ACK as normally or with a SYN-not-ACK as in "simultaneous open".

On ports which the server is using outbound only (if any), you can expect the 
server to send a SYN out first. It again does not matter whether the other 
end answers with a SYN/ACK or a SYN-not-ACK.


And why would (s)he have problem sending a SYN/ACK? It makes no difference.

-- 
Rémi Denis-Courmont
--

[ message continues ]

It's just that it would be useless. If sending a fake SYN from port 25 to your
server's port 443 allows it to establish connections from port 443 to port 25,
it becomes an easy spam platform. That's just an example. I'm just trying to
explain that supporting simultaneous connect on a firewall prevents you from
precisely controlling the direction of the streams.

Willy

--

[ message continues ]

Minor - sysctl syscall (as long as numbers and ->strategy callbacks) are
--

[ message continues ]

Hi Pavel,


I noticed that one in the two latest UDP sysctls, but was not aware of the
rules related to its use. Given the number of unconverted sysctls, is it
worth changing it now ?

Willy

--

[ message continues ]

Sorry, I don't get you here. Sysctls are not supposed to get converted,
the intention is just to a) stop adding new sysctls with strategies and

--

[ message continues ]

If existing declarations eventually get changed, that's what I call a
conversion :-)

OK I get you here. The patch will be resent with CTL_UNNUMBERED if there is
an agreement to get it merged.

Regards,
Willy

--

[ message continues ]

set it to 0.
or did you mean: (?)


---
~Randy
--

[ message continues ]

I meant "leave it" but I'd prefer "let it be 0".

Thanks Randy,
Willy

--

[ message continues ]

I'm not really interested in applying this.

You can make the same argument for just about any queer corner case
aspect of TCP.

The world hasn't ended even though this patch hasn't applied since
2005 and that's a good argument to not apply "yet another random knob"
to the kernel.
--

[ message continues ]

Not exactly since there are very few corner cases not conditionned by

Oh don't take me wrong. I'm pretty much convinced this is not critical at
all. It's just that it's a tempting attack vector for an easy DoS proof

OK for the random knob. If you feel comfortable with a patch to simply remove
the feature, I can send you such a patch too. BTW, the strange netstat output
I got also shows that the code paths involved to support this feature are not
much exercised, which would be another argument to disable it.

Anyway, I'm not trying to put any pressure. I can continue to live with the
ifdef patch in my trees. I just wanted to get your opinion on this one since
the discussion I initiated about it in 2005 brought to nowhere.

Regards,
Willy

--

[ message continues ]

From: Willy Tarreau <w@1wt.eu>

If I don't want the knob, what makes you think I'll accept a patch to
remove or ifdef the code?

I absolutely will not.
--

[ message continues ]

OK at least now it's clear.

Thanks anyway,
Willy

--

[ message continues ]

One reasonable tweak for this would be to use a very aggressive
timeout for simultaneously opened connections that didn't get an ACK
yet.

But to be honest it doesn't seem like a very pressing problem to me either.

-Andi

-- 
ak@linux.intel.com
--

[ message continues ]