The problem is located in PASW tcp protection. In 2005 Noritoshi Demizu reported the similar problem in other OS: "Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability" http://www.securityfocus.com/bid/13676/info If i send a SYN packet with victim source ip with a high tcp timestamp legitime victim connections can not be established. Details: 4 computers = ( 1 victim (alex) , 1 attacker (montse) , 1 server (safin)) , rofi (nat server) tcpdump in server safin Technical Example Detail: (This attack was developed under 1 lan with NAT) (alex server and montse server are in the same lan) Tcpdump in "safin" server say: #Montse workstation can connect to safin 13:23:29.122938 IP rofi.example.48107 > safin.croulder.com.887: S 3310111294:3310111294(0) win 5840 <mss 1460,sackOK,timestamp 1832397361 0,nop,wscale 0> 13:23:29.123001 IP safin.croulder.com.887 > rofi.example.com.48107: S 543284462:543284462(0) ack 3310111295 win 5792 <mss 1460,sackOK,timestamp 1215642359 1832397361,nop,wscale 2> 13:23:29.185365 IP rofi.example.com.48107 > safin.croulder.com887: . ack 1 win 5840 <nop,nop,timestamp 1832397427 1215642359> 13:23:33.010579 IP rofi.example.com.48107 > safin.croulder.com.887: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 1832401251 1215642359> 13:23:33.010643 IP safin.croulder.com.887 > rofi.example.com.48107: . ack 2 win 1448 <nop,nop,timestamp 1215646248 1832401251> 13:23:33.010854 IP safin.croulder.com.887 > rofi.example.com.48107: F 1:1(0) ack 2 win 1448 <nop,nop,timestamp 1215646248 1832401251> 13:23:33.040681 IP rofi.example.com.48107 > safin.croulder.com.887: . ack 2 win 5840 <nop,nop,timestamp 1832401281 1215646248> #alex workstation try to connect but he can not establish connection. 13:23:13.350222 IP rofi.example.com.33078 > safin.croulder.com.887: S 1271852125:1271852125(0) win 5840 <mss 1460,sackOK,timestamp 635887 0,nop,wscale 0> 13:23:16.351578 IP rofi.example.com.33078 > safin.croulder.com.887: S 1271852125:1271852125(0) win 5840 <mss 1460,sackOK,timestamp 638887 0,nop,wscale 0> 13:23:22.350207 IP rofi.example.com.33078 > safin.croulder.com.887: S 1271852125:1271852125(0) win 5840 <mss 1460,sackOK,timestamp 644887 0,nop,wscale 0> port 887 in LISTEN mode :P All tcpdump data are extracted from safin console and you can see that safin never send ack to alex. Bugs: In PASW tcp protection and in NAT implementation. Pasw could drop SYN with high timestamp if source ip address and source port are the same, but now PASW tcp protection drop all packets if tcp timestamp is bigger and equal source ip. Bug in NAT implementation? Yes, i think that NAT must modify the tcp timestamp value or not send flag. I probe that example attack in my desktop pc trying to connect to one server and i only can establish one connection. Partial solution applied? echo "0" > /proc/sys/net/ipv4/tcp_timestamp Tested in: 2.6.12.16 , 2.6.21.5 and 2.6.8
Linux is not vulnerable to this, the TCP stack validates the sequence numbers on input.