Slipping in the window update

Sun Jan 9 01:23:25 PST 2005

Ok, here's an updated patch for the SYN case.  I've included the patch 
relative to 6.x, and some text from a tcpdump showing it in action.

It responds to each SYN with an ACK like the latest tcpsecure document 
states, but it uses a global counter to rate limit the number of ACKs of 
this type that it will send to 200 per second.

I was unable to incorporate the connect idle heuristic I wanted to because 
right now the incoming spoofed syns would reset the idle counter, which 
sounds like it could cause a problem somehow... best not to use it for 
now.  Maybe a future change can clean up that along with the dropafterack 
case in tcp_input, but that would make this patch far too complex.

Please take a look at the patch and the abbreviated tcpdump from my test 
and see if it looks correct.

Thanks,

Mike "Silby" Silbersack
-------------- next part --------------
diff -u -r /usr/src/sys.old/netinet/icmp_var.h /usr/src/sys/netinet/icmp_var.h

--- /usr/src/sys.old/netinet/icmp_var.h	Mon Jan  3 00:03:31 2005
+++ /usr/src/sys/netinet/icmp_var.h	Sun Jan  9 02:47:12 2005
@@ -80,9 +80,10 @@
 #define BANDLIM_ICMP_UNREACH 0
 #define BANDLIM_ICMP_ECHO 1
 #define BANDLIM_ICMP_TSTAMP 2
-#define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */
-#define BANDLIM_RST_OPENPORT 4   /* No connection, listener */
-#define BANDLIM_MAX 4
+#define BANDLIM_RST_CLOSEDPORT 3  /* No connection, and no listeners */
+#define BANDLIM_RST_OPENPORT 4    /* No connection, listener */
+#define BANDLIM_SYN_ESTABLISHED 5 /* Established connect, SYN recieved */
+#define BANDLIM_MAX 5
 #endif
 
 #endif
diff -u -r /usr/src/sys.old/netinet/ip_icmp.c /usr/src/sys/netinet/ip_icmp.c
--- /usr/src/sys.old/netinet/ip_icmp.c	Mon Jan  3 00:03:31 2005
+++ /usr/src/sys/netinet/ip_icmp.c	Sun Jan  9 02:48:40 2005
@@ -897,7 +897,8 @@
 		{ "icmp ping response" },
 		{ "icmp tstamp response" },
 		{ "closed port RST response" },
-		{ "open port RST response" }
+		{ "open port RST response" },
+		{ "ACK for unexpected SYN" }
 	};
 
 	/*
diff -u -r /usr/src/sys.old/netinet/tcp_input.c /usr/src/sys/netinet/tcp_input.c
--- /usr/src/sys.old/netinet/tcp_input.c	Mon Jan  3 01:11:40 2005
+++ /usr/src/sys/netinet/tcp_input.c	Sun Jan  9 02:51:17 2005
@@ -136,6 +136,11 @@
     &tcp_insecure_rst, 0,
     "Follow the old (insecure) criteria for accepting RST packets.");
 
+static int tcp_insecure_syn = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_syn, CTLFLAG_RW,
+    &tcp_insecure_syn, 0,
+    "Follow the old criteria allowing SYN packets to reset a connection.");
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
 	    "TCP Segment Reassembly Queue");
 
@@ -1560,6 +1565,21 @@
 			}
 		}
 		goto drop;
+	}
+
+	if (thflags & TH_SYN) {
+		if (tp->t_state == TCPS_ESTABLISHED &&
+		    tcp_insecure_syn == 0) {
+			if (badport_bandlim(BANDLIM_SYN_ESTABLISHED) < 0)
+				goto drop;
+			tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
+				tp->snd_una, TH_ACK);
+			if (tp)
+				INP_UNLOCK(inp);
+			if (headlocked)
+				INP_INFO_WUNLOCK(&tcbinfo);
+			return;
+		}
 	}
 
 	/*
-------------- next part --------------
02:56:03.343419 IP 10.1.1.6.22 > 10.1.1.15.3043: P 170895595:170895723(128) ack 332054457 win 65535
02:56:03.343806 IP 10.1.1.15.3043 > 10.1.1.6.22: . ack 128 win 64911
02:56:04.223047 IP 10.1.1.15.3043 > 10.1.1.6.22: P 1:49(48) ack 128 win 64911
02:56:04.223554 IP 10.1.1.6.22 > 10.1.1.15.3043: P 128:176(48) ack 49 win 65535
02:56:04.224629 IP 10.1.1.15.3043 > 10.1.1.6.22: P 49:97(48) ack 176 win 64863
02:56:04.224937 IP 10.1.1.6.22 > 10.1.1.15.3043: P 176:224(48) ack 97 win 65535
02:56:04.226242 IP 10.1.1.15.3043 > 10.1.1.6.22: P 97:145(48) ack 224 win 64815
02:56:04.226530 IP 10.1.1.6.22 > 10.1.1.15.3043: P 224:272(48) ack 145 win 65535
02:56:04.349699 IP 10.1.1.15.3043 > 10.1.1.6.22: . ack 272 win 64767
02:56:04.757012 IP 10.1.1.15.3043 > 10.1.1.6.22: P 145:193(48) ack 272 win 64767
02:56:04.757303 IP 10.1.1.6.22 > 10.1.1.15.3043: P 272:320(48) ack 193 win 65535
02:56:04.896328 IP 10.1.1.15.3043 > 10.1.1.6.22: . ack 320 win 64719
02:56:05.000410 IP 10.1.1.15.3043 > 10.1.1.6.22: P 193:241(48) ack 320 win 64719
02:56:05.000709 IP 10.1.1.6.22 > 10.1.1.15.3043: P 320:368(48) ack 241 win 65535
02:56:05.092564 IP 10.1.1.15.3043 > 10.1.1.6.22: P 241:289(48) ack 368 win 64671
02:56:05.092855 IP 10.1.1.6.22 > 10.1.1.15.3043: P 368:416(48) ack 289 win 65535
02:56:05.106497 IP 10.1.1.15.3043 > 10.1.1.6.22: P 289:337(48) ack 416 win 64623
02:56:05.106784 IP 10.1.1.6.22 > 10.1.1.15.3043: P 416:464(48) ack 337 win 65535
02:56:05.108144 IP 10.1.1.15.3043 > 10.1.1.6.22: P 337:385(48) ack 464 win 64575
02:56:05.108445 IP 10.1.1.6.22 > 10.1.1.15.3043: P 464:512(48) ack 385 win 65535
02:56:05.216813 IP 10.1.1.15.3043 > 10.1.1.6.22: P 385:433(48) ack 512 win 64527
02:56:05.217101 IP 10.1.1.6.22 > 10.1.1.15.3043: P 512:560(48) ack 433 win 65535
02:56:05.300564 IP 10.1.1.15.3043 > 10.1.1.6.22: P 433:481(48) ack 560 win 64479
02:56:05.300853 IP 10.1.1.6.22 > 10.1.1.15.3043: P 560:608(48) ack 481 win 65535
02:56:05.302206 IP 10.1.1.15.3043 > 10.1.1.6.22: P 481:529(48) ack 608 win 64431
02:56:05.302498 IP 10.1.1.6.22 > 10.1.1.15.3043: P 608:656(48) ack 529 win 65535
02:56:05.409527 IP 10.1.1.15.3043 > 10.1.1.6.22: P 529:577(48) ack 656 win 64383
02:56:05.409820 IP 10.1.1.6.22 > 10.1.1.15.3043: P 656:704(48) ack 577 win 65535
02:56:05.469580 IP 10.1.1.15.3043 > 10.1.1.6.22: P 577:625(48) ack 704 win 64335
02:56:05.469867 IP 10.1.1.6.22 > 10.1.1.15.3043: P 704:752(48) ack 625 win 65535
02:56:05.482835 IP 10.1.1.15.3043 > 10.1.1.6.22: P 625:673(48) ack 752 win 64287
02:56:05.483128 IP 10.1.1.6.22 > 10.1.1.15.3043: P 752:800(48) ack 673 win 65535
02:56:05.560125 IP 10.1.1.15.3043 > 10.1.1.6.22: P 673:721(48) ack 800 win 64239
02:56:05.560413 IP 10.1.1.6.22 > 10.1.1.15.3043: P 800:848(48) ack 721 win 65535
02:56:05.653235 IP 10.1.1.15.3043 > 10.1.1.6.22: P 721:769(48) ack 848 win 64191
02:56:05.653525 IP 10.1.1.6.22 > 10.1.1.15.3043: P 848:896(48) ack 769 win 65535
02:56:05.666583 IP 10.1.1.15.3043 > 10.1.1.6.22: P 769:817(48) ack 896 win 64143
02:56:05.666869 IP 10.1.1.6.22 > 10.1.1.15.3043: P 896:944(48) ack 817 win 65535
02:56:05.679944 IP 10.1.1.15.3043 > 10.1.1.6.22: P 817:865(48) ack 944 win 64095
02:56:05.680245 IP 10.1.1.6.22 > 10.1.1.15.3043: P 944:992(48) ack 865 win 65535
02:56:05.737904 IP 10.1.1.15.3043 > 10.1.1.6.22: P 865:913(48) ack 992 win 65535
02:56:05.738199 IP 10.1.1.6.22 > 10.1.1.15.3043: P 992:1040(48) ack 913 win 65535
02:56:05.739533 IP 10.1.1.15.3043 > 10.1.1.6.22: P 913:961(48) ack 1040 win 65487
02:56:05.739819 IP 10.1.1.6.22 > 10.1.1.15.3043: P 1040:1088(48) ack 961 win 65535
02:56:05.824180 IP 10.1.1.15.3043 > 10.1.1.6.22: P 961:1009(48) ack 1088 win 65439
02:56:05.824467 IP 10.1.1.6.22 > 10.1.1.15.3043: P 1088:1136(48) ack 1009 win 65535
02:56:05.825840 IP 10.1.1.15.3043 > 10.1.1.6.22: P 1009:1057(48) ack 1136 win 65391
02:56:05.826135 IP 10.1.1.6.22 > 10.1.1.15.3043: P 1136:1184(48) ack 1057 win 65535
02:56:05.900415 IP 10.1.1.15.3043 > 10.1.1.6.22: P 1057:1105(48) ack 1184 win 65343
02:56:05.900704 IP 10.1.1.6.22 > 10.1.1.15.3043: P 1184:1232(48) ack 1105 win 65535
02:56:05.913678 IP 10.1.1.15.3043 > 10.1.1.6.22: P 1105:1153(48) ack 1232 win 65295
02:56:05.913978 IP 10.1.1.6.22 > 10.1.1.15.3043: P 1232:1280(48) ack 1153 win 65535
02:56:06.098927 IP 10.1.1.15.3043 > 10.1.1.6.22: . ack 1280 win 65247
02:56:08.719324 IP 10.1.1.15.3043 > 10.1.1.6.22: S 0:0(0) win 0
02:56:08.719851 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.719873 IP 10.1.1.15.3043 > 10.1.1.6.22: S 16384:16384(0) win 0
02:56:08.719888 IP 10.1.1.15.3043 > 10.1.1.6.22: S 32768:32768(0) win 0
02:56:08.719902 IP 10.1.1.15.3043 > 10.1.1.6.22: S 49152:49152(0) win 0
02:56:08.719915 IP 10.1.1.15.3043 > 10.1.1.6.22: S 65536:65536(0) win 0
02:56:08.719929 IP 10.1.1.15.3043 > 10.1.1.6.22: S 81920:81920(0) win 0
02:56:08.719943 IP 10.1.1.15.3043 > 10.1.1.6.22: S 98304:98304(0) win 0
02:56:08.719956 IP 10.1.1.15.3043 > 10.1.1.6.22: S 114688:114688(0) win 0
02:56:08.719970 IP 10.1.1.15.3043 > 10.1.1.6.22: S 131072:131072(0) win 0
02:56:08.719983 IP 10.1.1.15.3043 > 10.1.1.6.22: S 147456:147456(0) win 0
02:56:08.720001 IP 10.1.1.15.3043 > 10.1.1.6.22: S 163840:163840(0) win 0
02:56:08.720084 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720142 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720200 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720258 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720315 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720373 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720431 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720488 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720546 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720603 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720624 IP 10.1.1.15.3043 > 10.1.1.6.22: S 180224:180224(0) win 0
02:56:08.720638 IP 10.1.1.15.3043 > 10.1.1.6.22: S 196608:196608(0) win 0
02:56:08.720652 IP 10.1.1.15.3043 > 10.1.1.6.22: S 212992:212992(0) win 0
02:56:08.720666 IP 10.1.1.15.3043 > 10.1.1.6.22: S 229376:229376(0) win 0
02:56:08.720680 IP 10.1.1.15.3043 > 10.1.1.6.22: S 245760:245760(0) win 0
02:56:08.720694 IP 10.1.1.15.3043 > 10.1.1.6.22: S 262144:262144(0) win 0
02:56:08.720708 IP 10.1.1.15.3043 > 10.1.1.6.22: S 278528:278528(0) win 0
02:56:08.720722 IP 10.1.1.15.3043 > 10.1.1.6.22: S 294912:294912(0) win 0
02:56:08.720736 IP 10.1.1.15.3043 > 10.1.1.6.22: S 311296:311296(0) win 0
02:56:08.720750 IP 10.1.1.15.3043 > 10.1.1.6.22: S 327680:327680(0) win 0
02:56:08.720763 IP 10.1.1.15.3043 > 10.1.1.6.22: S 344064:344064(0) win 0
02:56:08.720796 IP 10.1.1.15.3043 > 10.1.1.6.22: S 360448:360448(0) win 0
02:56:08.720866 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720924 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.720982 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.721044 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
02:56:08.721101 IP 10.1.1.6.22 > 10.1.1.15.3043: . ack 1153 win 65535
