On 28/03/16(Mon) 23:56, Alexander Bluhm wrote:
> On Mon, Mar 21, 2016 at 12:58:41PM +0100, Alexander Bluhm wrote:
> > The attack I see is that you can measure the bucket distribution
> > by timing the SYN+ACK response. You can collect samples that end
> > in the same bucket. After you have collected enough, start your
> > DoS attack. I think that just collecting data is also possible
> > with a strong hash function. With a weak function you may collect
> > less and can start guessing early on top of that. But reseeding
> > after a number of packets prevents to collect information over a
> > long peroid.
>
> The syn cache already detects when it has too many bucket collisions.
> That seems a good moment to reseed the hash function.
Makes sense to me. The "> 0" check made me wonder. Can't you simply
use an unsigned variable and always set it to 0?
> ok?
ok mpi@
> Index: netinet/tcp_input.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v
> retrieving revision 1.316
> diff -u -p -r1.316 tcp_input.c
> --- netinet/tcp_input.c 27 Mar 2016 19:19:01 -0000 1.316
> +++ netinet/tcp_input.c 28 Mar 2016 21:51:20 -0000
> @@ -3400,6 +3400,12 @@ syn_cache_insert(struct syn_cache *sc, s
> if (scp->sch_length >= tcp_syn_bucket_limit) {
> tcpstat.tcps_sc_bucketoverflow++;
> /*
> + * Someone might attack our bucket hash function. Reseed
> + * with random as soon as the passive syn cache gets empty.
> + */
> + if (set->scs_use > 0)
> + set->scs_use = 0;
> + /*
> * The bucket is full. Toss the oldest element in the
> * bucket. This will be the first entry in the bucket.
> */
>
