Bug 247234 - Denial of Service in the TCP Timestamp implementation
Summary: Denial of Service in the TCP Timestamp implementation
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-06 06:38 UTC by Marcel Holtmann
Modified: 2007-07-11 02:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-07-11 02:46:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Marcel Holtmann 2007-07-06 06:38:33 UTC 
The problem is located in PASW tcp protection. In 2005 Noritoshi
Demizu reported the similar problem in other OS:
"Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability"
 http://www.securityfocus.com/bid/13676/info

If i send a SYN packet with victim source ip with a high tcp timestamp
legitime victim connections can not be established.

Details:
4 computers = ( 1 victim (alex) , 1 attacker (montse) , 1 server
(safin)) , rofi (nat server)
tcpdump in server safin

Technical Example Detail:
(This attack was developed under 1 lan with NAT) (alex server and
montse server are in the same lan)

Tcpdump in "safin" server say:

#Montse workstation can connect to safin
13:23:29.122938 IP rofi.example.48107 > safin.croulder.com.887: S
3310111294:3310111294(0) win 5840 <mss 1460,sackOK,timestamp
1832397361 0,nop,wscale 0>
13:23:29.123001 IP safin.croulder.com.887 > rofi.example.com.48107: S
543284462:543284462(0) ack 3310111295 win 5792 <mss
1460,sackOK,timestamp 1215642359 1832397361,nop,wscale 2>
13:23:29.185365 IP rofi.example.com.48107 > safin.croulder.com887: .
ack 1 win 5840 <nop,nop,timestamp 1832397427 1215642359>
13:23:33.010579 IP rofi.example.com.48107 > safin.croulder.com.887: F
1:1(0) ack 1 win 5840 <nop,nop,timestamp 1832401251 1215642359>
13:23:33.010643 IP safin.croulder.com.887 > rofi.example.com.48107: .
ack 2 win 1448 <nop,nop,timestamp 1215646248 1832401251>
13:23:33.010854 IP safin.croulder.com.887 > rofi.example.com.48107: F
1:1(0) ack 2 win 1448 <nop,nop,timestamp 1215646248 1832401251>
13:23:33.040681 IP rofi.example.com.48107 > safin.croulder.com.887: .
ack 2 win 5840 <nop,nop,timestamp 1832401281 1215646248>

#alex workstation try to connect but he can not establish connection.
13:23:13.350222 IP rofi.example.com.33078 > safin.croulder.com.887: S
1271852125:1271852125(0) win 5840 <mss 1460,sackOK,timestamp 635887
0,nop,wscale 0>
13:23:16.351578 IP rofi.example.com.33078 > safin.croulder.com.887: S
1271852125:1271852125(0) win 5840 <mss 1460,sackOK,timestamp 638887
0,nop,wscale 0>
13:23:22.350207 IP rofi.example.com.33078 > safin.croulder.com.887: S
1271852125:1271852125(0) win 5840 <mss 1460,sackOK,timestamp 644887
0,nop,wscale 0>

port 887 in LISTEN mode :P
All tcpdump data are extracted from safin console and you can see that
safin never send ack to alex.

Bugs: In PASW tcp protection and in NAT implementation.

Pasw could drop SYN with high timestamp if source ip address and
source port are the same, but now PASW tcp protection drop all packets
if tcp timestamp is bigger and equal source ip.

Bug in NAT implementation? Yes, i think that NAT must modify the tcp timestamp
value or not send flag.

I probe that example attack in my desktop pc trying to connect to one server and
i only can establish one connection.

Partial solution applied? echo "0" > /proc/sys/net/ipv4/tcp_timestamp

Tested in: 2.6.12.16 , 2.6.21.5  and 2.6.8
Comment 2 David Miller 2007-07-10 22:28:01 UTC 
Linux is not vulnerable to this, the TCP stack validates the sequence
numbers on input.
Note You need to log in before you can comment on or make changes to this bug.