Here's my proposed patch to change RST handling so that ESTABLISHED
connections are subject to strict RST checking, but connections in other
states are only subject to the "within the window" check. Part 2 of
the
patch is simply a patch to netstat so that it displays the statistic.
As expected, it's very straightforward, the only real question is what to
call the statistic... "Ignored RSTs in the window" isn't the best
description.
FWIW, I've been testing with the exploit code
(reset-tcp-rfc31337-compliant.c from osvdb-4030-exploit.zip), and this
change does indeed defeat the attack. It took me a while to get the code
working, they really munged up the libnet calls, but I guess that was the
intent.
Mike "Silby" Silbersack
-------------- next part --------------
diff -u -r /usr/src/sys.old/netinet/tcp_input.c /usr/src/sys/netinet/tcp_input.c
--- /usr/src/sys.old/netinet/tcp_input.c Thu Apr 22 01:15:15 2004
+++ /usr/src/sys/netinet/tcp_input.c Fri Apr 23 22:13:18 2004
@@ -1570,6 +1570,10 @@
goto close;
case TCPS_ESTABLISHED:
+ if (tp->last_ack_sent != th->th_seq) {
+ tcpstat.tcps_badrst++;
+ goto drop;
+ }
case TCPS_FIN_WAIT_1:
case TCPS_FIN_WAIT_2:
case TCPS_CLOSE_WAIT:
diff -u -r /usr/src/sys.old/netinet/tcp_var.h /usr/src/sys/netinet/tcp_var.h
--- /usr/src/sys.old/netinet/tcp_var.h Thu Apr 22 01:15:16 2004
+++ /usr/src/sys/netinet/tcp_var.h Fri Apr 23 22:12:49 2004
@@ -414,6 +414,7 @@
u_long tcps_badsyn; /* bogus SYN, e.g. premature ACK */
u_long tcps_mturesent; /* resends due to MTU discovery */
u_long tcps_listendrop; /* listen queue overflows */
+ u_long tcps_badrst; /* ignored RSTs in the window */
u_long tcps_sc_added; /* entry added to syncache */
u_long tcps_sc_retransmitted; /* syncache entry was retransmitted */
-------------- next part --------------
--- /usr/src/usr.bin/netstat/inet.c.old Fri Apr 23 22:19:43 2004
+++ /usr/src/usr.bin/netstat/inet.c Fri Apr 23 22:21:09 2004
@@ -415,6 +415,7 @@
p(tcps_accepts, "\t%lu connection accept%s\n");
p(tcps_badsyn, "\t%lu bad connection attempt%s\n");
p(tcps_listendrop, "\t%lu listen queue overflow%s\n");
+ p(tcps_badrst, "\t%lu Ignored RSTs in the window%s\n");
p(tcps_connects, "\t%lu connection%s established (including
accepts)\n");
p2(tcps_closed, tcps_drops,
"\t%lu connection%s closed (including %lu drop%s)\n");