Re: [PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > The example rule in the iptables-extensions(8) manpage suggests:
> > 
> > 	iptables -A INPUT -i eth0 -p tcp --dport 80
> >                   -m state --state UNTRACKED,INVALID -j SYNPROXY
> >                   --sack-perm --timestamp --mss 1460 --wscale 9
> > 
> > This is allowing invalid PSH,ACK packets to enter the SYNPROXY target
> > since they are matching the INVALID state.
> 
> Why INVALID?  Shouldn't we already have a valid conntrack entry at this point?
>
> > This results in the following sequence:
> >      client               synproxy             server
> >        |                     |                   |
> >        |                     |                   |
> >            ... 3-way handshake via synproxy ...
> >        |                     |                   |
> >        |-------------------->|                   |
> >        |       psh,ack       |------------------>|
> >        |                     |        syn        |   uh, why syn? I'm
> >        |                     |                   | already established?!
> >        |                     |<------------------|
> >        |<--------------------|        rst        |
> >        |         rst         |                   |
> > 
> > Problem is that the psh,ack packet is handled by SYNPROXY as it would be
> > the ACK packet (the third step in the handshake), hence SYNPROXY sends
> > it as as SYN packet to the server. The server is not happy, since the
> > handshake already happened time ago, so it sends the RST packet and
> > connection is teared down immediately.
> 
> I don't understand why push,ack is invalid in first place.
> If we do not have a valid connection at this point then a pure
> ack would have same effect (reset), no?

Under normal circunstances yes, but anyone could cycle and forged
PSH,ACK packets to the synproxy that are invalid, right? That would
open up for a DOS against SYNPROXY itself...

As you said, this can be worst, a simple invalid ACK packet would
result in a SYN packet to the server for an already established
connection.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux