[Top] [All Lists]

Linux networking: Security bug in SYN cookies

To: netdev@xxxxxxxxxxx
Subject: Linux networking: Security bug in SYN cookies
From: "Silas S. Brown" <ssb22@xxxxxxxxx>
Date: Mon, 15 Oct 2001 21:15:14 +0100
Cc: "D. J. Bernstein" <djb@xxxxxxxx>, Ross.Anderson@xxxxxxxxxxxx
Sender: owner-netdev@xxxxxxxxxxx

There is a security bug in linux/net/ipv4/syncookies.c.  It
can be fixed.

The following attack may be used to make connections to
ports that are normally blocked by a SYN-blocking firewall,
if the victim host runs SYN cookies as implemented in the
Linux kernel.

First, find a port on the victim host that is open to the
world (say a Web server).  Begin SYN-flooding that port.
Then send millions of random ACK packets to the port that is
blocked by the firewall (finger, FTP, telnet, or whatever).

A SYN-blocking firewall would not block ACK packets (because
they could be part of outgoing TCP connections) and would
thus let them in, while also letting in the flood of SYN
packets to the public port.  So the victim host sees a SYN
queue overflow, starts using SYN cookies, and has a
reasonably high probability of being fooled by one of the
random ACK packets into behaving as if a connection on the
firewalled port had been established.  The attacker can then
continue with the connection as though the SYN-blocking
firewall weren't there.

This could be used to gain private information about a site
(e.g. by querying a finger daemon that is not normally
visible to the world), or for compromising a specific target
that may have vulnerable daemons that are blocked by the

The solution (as pointed out by D. J. Bernstein in a private
communication in response to the above) is to make the
variable tcp_lastsynq_overflow local to each listening port,
instead of being a global.

Best wishes,       Silas

Silas S Brown, St John's College Cambridge UK

"Have a reputation for being reasonable" - Philippians 4:5, Phillip's

<Prev in Thread] Current Thread [Next in Thread>
  • Linux networking: Security bug in SYN cookies, Silas S. Brown <=