tcp: implement RFC 5961 3.2

Implement the RFC 5691 mitigation against Blind Reset attack using RST bit. Idea is to validate incoming RST sequence, to match RCV.NXT value, instead of previouly accepted window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND) If sequence is in window but not an exact match, send a "challenge ACK", so that the other part can resend an RST with the appropriate sequence. Add a new sysctl, tcp_challenge_ack_limit, to limit number of challenge ACK sent per second. Add a new SNMP counter to count number of challenge acks sent. (netstat -s | grep TCPChallengeACK) Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Kiran Kumar Kella <kkiran@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2012-07-17 04:13:05 -0400
committer: David S. Miller <davem@davemloft.net> 2012-07-17 04:36:20 -0400
commit: 282f23c6ee343126156dd41218b22ece96d747e3 (patch)
tree: 9a306d99ed77d760078d29699edd3007507d709b
parent: a858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d (diff)
6 files changed, 45 insertions, 1 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index e20c17a7d34e..e1e021594cff 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -565,6 +565,11 @@ tcp_limit_output_bytes - INTEGER
        reduce the size of individual GSO packet (64KB being the max)
        Default: 131072
+tcp_challenge_ack_limit - INTEGER
+        Limits number of Challenge ACK sent per second, as recommended
+        in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
+        Default: 100
 UDP variables:
 udp_mem - vector of 3 INTEGERs: min, pressure, max
diff --git a/include/linux/snmp.h b/include/linux/snmp.h
index 6e4c51123828..673e0e928b2b 100644
--- a/include/linux/snmp.h
+++ b/include/linux/snmp.h
@@ -237,6 +237,7 @@ enum
        LINUX_MIB_TCPOFOQUEUE,                  /* TCPOFOQueue */
        LINUX_MIB_TCPOFODROP,                   /* TCPOFODrop */
        LINUX_MIB_TCPOFOMERGE,                  /* TCPOFOMerge */
+        LINUX_MIB_TCPCHALLENGEACK,              /* TCPChallengeACK */
        __LINUX_MIB_MAX
 };
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 439984b9af49..85c5090bfe25 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -254,6 +254,7 @@ extern int sysctl_tcp_thin_linear_timeouts;
 extern int sysctl_tcp_thin_dupack;
 extern int sysctl_tcp_early_retrans;
 extern int sysctl_tcp_limit_output_bytes;
+extern int sysctl_tcp_challenge_ack_limit;
 extern atomic_long_t tcp_memory_allocated;
 extern struct percpu_counter tcp_sockets_allocated;
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index dae25e7622cf..3e8e78f12a38 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -261,6 +261,7 @@ static const struct snmp_mib snmp4_net_list[] = {
        SNMP_MIB_ITEM("TCPOFOQueue", LINUX_MIB_TCPOFOQUEUE),
        SNMP_MIB_ITEM("TCPOFODrop", LINUX_MIB_TCPOFODROP),
        SNMP_MIB_ITEM("TCPOFOMerge", LINUX_MIB_TCPOFOMERGE),
+        SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
        SNMP_MIB_SENTINEL
 };
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 70730f7aeafe..3f6a1e762e9c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -605,6 +605,13 @@ static struct ctl_table ipv4_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+        {
+                .procname       = "tcp_challenge_ack_limit",
+                .data           = &sysctl_tcp_challenge_ack_limit,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec
+        },
 #ifdef CONFIG_NET_DMA
        {
                .procname       = "tcp_dma_copybreak",
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index cc4e12f1f2f7..c841a8990377 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -88,6 +88,9 @@ int sysctl_tcp_app_win __read_mostly = 31;
 int sysctl_tcp_adv_win_scale __read_mostly = 1;
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+/* rfc5961 challenge ack rate limiting */
+int sysctl_tcp_challenge_ack_limit = 100;
 int sysctl_tcp_stdurg __read_mostly;
 int sysctl_tcp_rfc1337 __read_mostly;
 int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
@@ -5247,6 +5250,23 @@ out:
 }
 #endif /* CONFIG_NET_DMA */
+static void tcp_send_challenge_ack(struct sock *sk)
+{
+        /* unprotected vars, we dont care of overwrites */
+        static u32 challenge_timestamp;
+        static unsigned int challenge_count;
+        u32 now = jiffies / HZ;
+        if (now != challenge_timestamp) {
+                challenge_timestamp = now;
+                challenge_count = 0;
+        }
+        if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+                tcp_send_ack(sk);
+        }
+}
 /* Does PAWS and seqno based validation of an incoming segment, flags will
 * play significant role here.
 */
@@ -5283,7 +5303,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
        /* Step 2: check RST bit */
        if (th->rst) {
-                tcp_reset(sk);
+                /* RFC 5961 3.2 :
+                 * If sequence number exactly matches RCV.NXT, then
+                 *     RESET the connection
+                 * else
+                 *     Send a challenge ACK
+                 */
+                if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt)
+                        tcp_reset(sk);
+                else
+                        tcp_send_challenge_ack(sk);
                goto discard;
        }
author	Eric Dumazet <edumazet@google.com>	2012-07-17 04:13:05 -0400
committer	David S. Miller <davem@davemloft.net>	2012-07-17 04:36:20 -0400
commit	282f23c6ee343126156dd41218b22ece96d747e3 (patch)
tree	9a306d99ed77d760078d29699edd3007507d709b
parent	a858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d (diff)