Differential D2267

Change the default value for drop_synfin to true. There is no reason to accept a packet with both the SYN and FIN flags set. Suggested by: hiren
AbandonedPublic
Actions

Authored by gnn on Apr 9 2015, 6:48 PM.

Details

Reviewers

rwatson

Group Reviewers

network

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

gnn updated this revision to Diff 4763.Apr 9 2015, 6:48 PM

gnn retitled this revision from to Change the default value for drop_synfin to true. There is no reason to accept a packet with both the SYN and FIN flags set. Suggested by: hiren.

gnn updated this object.

gnn edited the test plan for this revision. (Show Details)

Herald added a subscriber: imp. · View Herald TranscriptApr 9 2015, 6:48 PM

gnn added a reviewer: network.Apr 9 2015, 6:48 PM

While the behaviour in handling SYN|FIN is undefined by the TCP specification, SYN|FIN probing is widely used in host-stack fingerprinting. It's not clear that fingerprintability is a bug -- and, in fact, it's sometimes relied on as a feature. Disabling responses here will break that feature. I'm not sure I would encourage this change.

This revision now requires changes to proceed.Apr 10 2015, 3:39 PM

Yes my proposed change would prevent fingerprinting. When would fingerprinting be considered a feature by those being fingerprinted?

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/tcp-headers-with-syn-and-fin-flags-set.html

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3041&signatureSubId=0

http://www.symantec.com/connect/articles/abnormal-ip-packets
SYN FIN is probably the best known illegal combination. Remember that SYN is used to start a connection, while FIN is used to end an existing connection. It is nonsensical to perform both actions at the same time. Many scanning tools use SYN FIN packets, because many intrusion detection systems did not catch these in the past, although most do so now. You can safely assume that any SYN FIN packets you see are malicious.

It seems pretty common to drop them, and it only affects active fingerprinting, not passive fingerprinting.

To date, the view we've taken on fingerprinting is that it's nearly impossible actually to prevent fingerprinting as it's effectively a side channel. So, for example, we made a policy decision to continuing reporting not just the SSH protocol version but also FreeBSD version via sshd on port 22, etc, despite a few complaints from users. As such, my casual reading is that flipping this one flag will make little or no actual security difference.

(which is all to say: I guess I don't really mind the change, but I'm not sure it really accomplishes much.)

For me this isn't so much about security, per se, as dropping packets we know to have no use earlier in the process of handling them. Why waste time on packets that have no discernible purpose or future utility? The SYN will just get stuck in the SYN cache and time out, wasting resources.

gnn abandoned this revision.Apr 14 2015, 2:18 PM

In D2267#14, @gnn wrote:

For me this isn't so much about security, per se, as dropping packets we know to have no use earlier in the process of handling them. Why waste time on packets that have no discernible purpose or future utility? The SYN will just get stuck in the SYN cache and time out, wasting resources.

Spec is not clear on this subject and there is really no use of such a packet. *And* it takes up space in syn cache.

I fail to understand why we want to keep it.

emaste mentioned this in D2266: I can find no reason to allow packets with both SYN and FIN bits set past this point in the code. The packet should be dropped and not massaged as it is here..Nov 15 2018, 8:43 PM

Revision Contents
Changeset List

Path

Size

sys/

netinet/

tcp_input.c

2 lines

Diff 4763

View Options

Change the default value for drop_synfin to true. There is no reason to accept a packet with both the SYN and FIN flags set. Suggested by: hirenAbandonedPublicActions