oss-sec mailing list archives
Re: CVE Request -- kernel: tcp: drop SYN+FIN messages
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 07 Jun 2012 12:37:30 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/07/2012 01:31 AM, John Haxby wrote:
On 01/06/12 20:12, Kurt Seifried wrote:In my limited testing with iptables on RHEL 6.2 it appears that --state NEW works properly, and won't allow SYN+FIN to create connections (I used hping3 and the SYN+FIN Packets were blocked).So the default ruleset:-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibitedshould work, so you could do you clever --syn bits first and then have that set to protect stuff from SYN+FIN.What happens if you have "-j ACCEPT" instead of "-j DROP"? I would expect that sshd wouldn't see the connection but you would get all the unpleasant side effects that made T/TCP deprecated.
Ooops yeah typo, that DROP should have been ACCEPT. So to summarize properly: - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp-host-prohibited results in ICMP unreachable (the -F -S bypasses the "--dport 22 -j ACCEPT" but gets caught in the final "icmp-host-prohibited" rule) with: hping3 -c 3 -n -S -F -p 22 192.168.51.195 with: - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP - -A INPUT -j REJECT --reject-with icmp-host-prohibited with hping -F -S the packets bypass the "--dport 22 -j DROP" and get caught by the icmp-host-prohibited with hping -S the packets get caught by "the "--dport 22 -j DROP"" as expected. So basically --state new works fine and dandy.
jch
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0PTqAAoJEBYNRVNeJnmTqqAP/3DwwV7TjMj5voRSpc1X1jIb BDMc05DgCxQ1PuVZJbxcFZ9sK7Wch+gRVryDqcgINj8FfUDdeO5rBLz/eXWf+7SX 2ift2JguG/hR/7SUF91rP9fVA9UKvwpum4x2aI2NRrluHfu8LHGvVVI2TVQOFFXR UAWFCrFeP4MNw+Jv3qVdYFiUzjgbdBedzT1PPWtA30hyb6iggfbWYmOoiKxvE3k6 1uHEhuqtiriIMD4DFK17s+eVuX6RDz3vWUSnH/5h+ZADuhTUdqBDBFOO6J8nrB0B PCCYECJbUcBZcT9LhrvpoIbz8NiGFz46OAiBzLJo6MjM+c17kT5HPHOxJnY/psN3 /VEICPGBb3ggAWkYJnz5l+sZmBaKrPUeXW//YDN7brr8MZgVnbZ6pdNRoRDTMrfA UF/UMCmHwkPOObvlFpMUp0fJnGu3BX6JKBGVVCLm3UVKsV5n0AgcaQ3Ji/MLwSke YR2wSnM0MFWh0c+ZgSwQ4Qtc51YXe31JC4bmOz8Y469xTSQbd1evOgxDOVqgklcE Nyv6wzSAdtSBvTWr/1JwTAPGiCgNq7TX0hZdZIZt4eR5A2umwLJ0UWW/oITvNwAp j+7g0bp0hz7mWW6IEvNavuomcCjky9FpWvAvcnKhUwMsR5pmXBt0ZR6f6j3bFqbx E7wc+pzPrR/tROyn0aHc =dzax -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages, (continued)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 08)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)