Skip to content

Commit

Permalink
net: tcp: add option to disable TCP simultaneous connect
Browse files Browse the repository at this point in the history
This is modified from Brad Spengler/PaX Team's code in the last public
patch of grsecurity/PaX based on my understanding of the code. Changes
or omissions from the original code are mine and don't reflect the
original grsecurity/PaX code.

TCP simultaneous connect adds a weakness in Linux's implementation of
TCP that allows two clients to connect to each other without either
entering a listening state. The weakness allows an attacker to easily
prevent a client from connecting to a known server provided the source
port for the connection is guessed correctly.

As the weakness could be used to prevent an antivirus or IPS from
fetching updates, or prevent an SSL gateway from fetching a CRL, it
should be eliminated.

This creates a net.ipv4.tcp_simult_connect sysctl that when disabled,
disables TCP simultaneous connect.

Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>
Reviewd-by: Levente Polyak <levente@leventepolyak.net>
Signed-off-by: Levente Polyak <levente@leventepolyak.net>
  • Loading branch information
madaidan authored and anthraxx committed Sep 12, 2020
1 parent b65729a commit e205c12
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 1 deletion.
18 changes: 18 additions & 0 deletions Documentation/networking/ip-sysctl.rst
Original file line number Diff line number Diff line change
Expand Up @@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER

Default : 44

tcp_simult_connect - BOOLEAN
Enable TCP simultaneous connect that adds a weakness in Linux's strict
implementation of TCP that allows two clients to connect to each other
without either entering a listening state. The weakness allows an attacker
to easily prevent a client from connecting to a known server provided the
source port for the connection is guessed correctly.

As the weakness could be used to prevent an antivirus or IPS from fetching
updates, or prevent an SSL gateway from fetching a CRL, it should be
eliminated by disabling this option. Though Linux is one of few operating
systems supporting simultaneous connect, it has no legitimate use in
practice and is rarely supported by firewalls.

Disabling this may break TCP STUNT which is used by some applications for
NAT traversal.

Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON

tcp_slow_start_after_idle - BOOLEAN
If set, provide RFC2861 behavior and time out the congestion
window after an idle period. An idle period is defined at
Expand Down
1 change: 1 addition & 0 deletions include/net/tcp.h
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
/* sysctl variables for tcp */
extern int sysctl_tcp_max_orphans;
extern long sysctl_tcp_mem[3];
extern int sysctl_tcp_simult_connect;

#define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */
#define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */
Expand Down
23 changes: 23 additions & 0 deletions net/ipv4/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -743,3 +743,26 @@ config TCP_MD5SIG
on the Internet.

If unsure, say N.

config TCP_SIMULT_CONNECT_DEFAULT_ON
bool "Enable TCP simultaneous connect"
help
Enable TCP simultaneous connect that adds a weakness in Linux's strict
implementation of TCP that allows two clients to connect to each other
without either entering a listening state. The weakness allows an
attacker to easily prevent a client from connecting to a known server
provided the source port for the connection is guessed correctly.

As the weakness could be used to prevent an antivirus or IPS from
fetching updates, or prevent an SSL gateway from fetching a CRL, it
should be eliminated by disabling this option. Though Linux is one of
few operating systems supporting simultaneous connect, it has no
legitimate use in practice and is rarely supported by firewalls.

Disabling this may break TCP STUNT which is used by some applications
for NAT traversal.

This setting can be overridden at runtime via the
net.ipv4.tcp_simult_connect sysctl.

If unsure, say N.
9 changes: 9 additions & 0 deletions net/ipv4/sysctl_net_ipv4.c
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = {
.mode = 0644,
.proc_handler = proc_do_static_key,
},
{
.procname = "tcp_simult_connect",
.data = &sysctl_tcp_simult_connect,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
{ }
};

Expand Down
3 changes: 2 additions & 1 deletion net/ipv4/tcp_input.c
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@
#include <net/mptcp.h>

int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON);

#define FLAG_DATA 0x01 /* Incoming frame contained data. */
#define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */
Expand Down Expand Up @@ -6110,7 +6111,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
tcp_paws_reject(&tp->rx_opt, 0))
goto discard_and_undo;

if (th->syn) {
if (th->syn && sysctl_tcp_simult_connect) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
* Particularly, it can be connect to self.
Expand Down

0 comments on commit e205c12

Please sign in to comment.