2001-11-08 05:30:16

by B. James Phillippe

[permalink] [raw]
Subject: SYN cookies security bugfix?

Hello,

I received a forwarded message from SuSE regarding a security vulnerability
with respect to randomization of the ISN for SYN cookies - or something to
that effect. I have not been able to find the patch which addresses this
problem; if anyone can point me towards it, I would be appreciative.

thanks,
-bp
--
# bryanxms at ecst dot csuchico dot edu Support the American Red Cross
# Software Engineer http://www.redcross.org



2001-11-08 08:33:43

by Gianni Tedesco

[permalink] [raw]
Subject: Re: SYN cookies security bugfix?

On Thu, 2001-11-08 at 05:20, B. James Phillippe wrote:
> Hello,
>
> I received a forwarded message from SuSE regarding a security vulnerability
> with respect to randomization of the ISN for SYN cookies - or something to
> that effect. I have not been able to find the patch which addresses this
> problem; if anyone can point me towards it, I would be appreciative.

Hi,

Think this is the patch you want - (backported it from 2.4.14 to 2.4.9).

--
// Gianni Tedesco <[email protected]>
"Every great advance in natural knowledge has involved
the absolute rejection of authority." -- Thomas H. Huxley


Attachments:
syncookie-fix.diff (2.43 kB)

2001-11-08 12:26:08

by Alan

[permalink] [raw]
Subject: Re: SYN cookies security bugfix?

> I received a forwarded message from SuSE regarding a security vulnerability
> with respect to randomization of the ISN for SYN cookies - or something to
> that effect. I have not been able to find the patch which addresses this
> problem; if anyone can point me towards it, I would be appreciative.

Its fixed in 2.2.20, you can grab the 2.2 patch from there

2001-11-08 22:04:09

by Ed L Cashin

[permalink] [raw]
Subject: test SYN cookies (was Re: SYN cookies security bugfix?)

Alan Cox <[email protected]> writes:

> > I received a forwarded message from SuSE regarding a security vulnerability
> > with respect to randomization of the ISN for SYN cookies - or something to
> > that effect. I have not been able to find the patch which addresses this
> > problem; if anyone can point me towards it, I would be appreciative.
>
> Its fixed in 2.2.20, you can grab the 2.2 patch from there

What is a good way to test SYN cookies? I can induce a three-second
delay (on victim host V) before new TCP connections are accepted by
sending a burst of 2000 SYN packets (from attacker A), where V is
running a 2.2.14 or 2.2.17 kernel. During the three seconds ICMP echo
requests from A to V are being answered.

Turning on SYN cookies after /proc is mounted does not affect the
three-second pause, though, so I figure that either the pause is not
on account of a full half-open connection queue or SYN cookies are not
working.

--
--Ed Cashin PGP public key:
[email protected] http://www.terry.uga.edu/~ecashin/pgp/

2001-11-10 22:08:39

by Ed L Cashin

[permalink] [raw]
Subject: Re: test SYN cookies (was Re: SYN cookies security bugfix?)

Ed L Cashin <[email protected]> writes:

...
> What is a good way to test SYN cookies? I can induce a three-second
> delay (on victim host V) before new TCP connections are accepted by
> sending a burst of 2000 SYN packets (from attacker A), where V is
> running a 2.2.14 or 2.2.17 kernel. During the three seconds ICMP echo
> requests from A to V are being answered.
>
> Turning on SYN cookies after /proc is mounted does not affect the
> three-second pause, though, so I figure that either the pause is not
> on account of a full half-open connection queue or SYN cookies are not
> working.

OK, I have found out that when I use three hosts to try to test SYN
cookies there is no pause, so the pause was a red herring. However,
tests still seem to indicate that the SYN cookies feature doesn't do
anything.

Host A sends a SYN flood to host B, now sporting a new 2.2.20 kernel
(with SYN cookie support, of course). Host C makes repeated TCP
connections and ICMP echo requests to host B in order to monitor host
B.

However, even after setting tcp_max_syn_backlog to 1 on host B, I do
not observe any difference in connection times (from B to C) during a
SYN flood (from A to B) whether tcp_syncookies are on or off on host B
(1 or 0). I am restarting the server on B each time I make an
adjustment in /proc.

Is there anyone who has any evidence that SYN cookies do anything in
kernel 2.2.x? If so, how did you get that evidence, because I would
like to reproduce it.

--
--Ed Cashin PGP public key:
[email protected] http://www.terry.uga.edu/~ecashin/pgp/

2001-11-10 22:28:23

by Alan

[permalink] [raw]
Subject: Re: test SYN cookies (was Re: SYN cookies security bugfix?)

> Is there anyone who has any evidence that SYN cookies do anything in
> kernel 2.2.x? If so, how did you get that evidence, because I would
> like to reproduce it.

They work fine for me in 2.2.19/2.2.20. Make sure you compile them in and
turn them on. Also remember syn cookies ensure connection completions for
real connections, they dont deal with servers that simply cant keep up with
real work

2001-11-11 05:21:26

by Ed L Cashin

[permalink] [raw]
Subject: Re: test SYN cookies (was Re: SYN cookies security bugfix?)

Thank you much for the reply.

Alan Cox <[email protected]> writes:

> > Is there anyone who has any evidence that SYN cookies do anything in
> > kernel 2.2.x? If so, how did you get that evidence, because I would
> > like to reproduce it.
>
> They work fine for me in 2.2.19/2.2.20.

That was reassuring enough that I persisted and found that the problem
was this: my home-spun SYN-flooder wasn't changing the TCP sequence
number, and so the "victim" was discarding the packets.

The three-second pause I observed previously was a red herring that
went away when I started using separate hosts for flooding and
connection-testing.

Now I see a night-and-day difference between with and without SYN
cookies (although when tcp_max_syn_backlog is set to more than a five
it takes a long time to fill the queue).

Thanks again.

--
--Ed Cashin PGP public key:
[email protected] http://www.terry.uga.edu/~ecashin/pgp/