The branch main has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f0f6e50388963cae44bb92bb69ed7a1135dd2eec
commit f0f6e50388963cae44bb92bb69ed7a1135dd2eec
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2025-08-09 12:17:38 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2025-08-09 12:17:38 +0000
tcp: mitigate a side channel for detection of TCP connections
If a blind attacker wants to guess by sending ACK segments if there
exists a TCP connection , this might trigger a challenge ACK on an
existing TCP connection. To make this hit non-observable for the
attacker, also increment the global counter, which would have been
incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel
Vulnerability Detection
Reviewed by: Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51724
---
sys/netinet/tcp_subr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 26e7e53d540c..1fce7c591639 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -82,6 +82,7 @@
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
+#include <netinet/icmp_var.h>
#ifdef INET6
#include <netinet/icmp6.h>
#include <netinet/ip6.h>
@@ -2156,6 +2157,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr
*th, struct mbuf *m)
sbintime_t now;
bool send_challenge_ack;
+ /*
+ * The sending of a challenge ACK could be triggered by a blind attacker
+ * to detect an existing TCP connection. To mitigate that, increment
+ * also the global counter which would be incremented if the attacker
+ * would have guessed wrongly.
+ */
+ (void)badport_bandlim(BANDLIM_TCP_RST);
if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) {
/* ACK war protection is disabled. */
send_challenge_ack = true;
