On Mon, Mar 21, 2016 at 12:58:41PM +0100, Alexander Bluhm wrote:
> The attack I see is that you can measure the bucket distribution
> by timing the SYN+ACK response. You can collect samples that end
> in the same bucket. After you have collected enough, start your
> DoS attack. I think that just collecting data is also possible
> with a strong hash function. With a weak function you may collect
> less and can start guessing early on top of that. But reseeding
> after a number of packets prevents to collect information over a
> long peroid.
The syn cache already detects when it has too many bucket collisions.
That seems a good moment to reseed the hash function.
ok?
bluhm
Index: netinet/tcp_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.316
diff -u -p -r1.316 tcp_input.c
--- netinet/tcp_input.c 27 Mar 2016 19:19:01 -0000 1.316
+++ netinet/tcp_input.c 28 Mar 2016 21:51:20 -0000
@@ -3400,6 +3400,12 @@ syn_cache_insert(struct syn_cache *sc, s
if (scp->sch_length >= tcp_syn_bucket_limit) {
tcpstat.tcps_sc_bucketoverflow++;
/*
+ * Someone might attack our bucket hash function. Reseed
+ * with random as soon as the passive syn cache gets empty.
+ */
+ if (set->scs_use > 0)
+ set->scs_use = 0;
+ /*
* The bucket is full. Toss the oldest element in the
* bucket. This will be the first entry in the bucket.
*/
