git: d1ab6d36aeb2 - stable/14 - tcp: mitigate a side channel for detection of TCP connections
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 05 Sep 2025 18:58:18 UTC
The branch stable/14 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=d1ab6d36aeb21091f7a442ca78aa2ca9a8941875 commit d1ab6d36aeb21091f7a442ca78aa2ca9a8941875 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2025-08-09 12:17:38 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2025-09-05 18:57:52 +0000 tcp: mitigate a side channel for detection of TCP connections If a blind attacker wants to guess by sending ACK segments if there exists a TCP connection , this might trigger a challenge ACK on an existing TCP connection. To make this hit non-observable for the attacker, also increment the global counter, which would have been incremented if it would have been a non-hit. This issue was reported as issue number 11 in Keyu Man et al.: SCAD: Towards a Universal and Automated Network Side-Channel Vulnerability Detection Reviewed by: Nick Banks, Peter Lei Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D51724 (cherry picked from commit f0f6e50388963cae44bb92bb69ed7a1135dd2eec) --- sys/netinet/tcp_subr.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index d17b46d13038..6a9a4635cee7 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -85,6 +85,7 @@ #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/ip_var.h> +#include <netinet/icmp_var.h> #ifdef INET6 #include <netinet/icmp6.h> #include <netinet/ip6.h> @@ -2230,6 +2231,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) sbintime_t now; bool send_challenge_ack; + /* + * The sending of a challenge ACK could be triggered by a blind attacker + * to detect an existing TCP connection. To mitigate that, increment + * also the global counter which would be incremented if the attacker + * would have guessed wrongly. + */ + (void)badport_bandlim(BANDLIM_TCP_RST); if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) { /* ACK war protection is disabled. */ send_challenge_ack = true;