Page MenuHomeFreeBSD

Change the default value for drop_synfin to true. There is no reason to accept a packet with both the SYN and FIN flags set. Suggested by: hiren
AbandonedPublic

Authored by gnn on Apr 9 2015, 6:48 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 15, 11:47 PM
Unknown Object (File)
Nov 21 2024, 10:27 AM
Unknown Object (File)
Oct 30 2024, 6:49 AM
Unknown Object (File)
Sep 30 2024, 3:02 AM
Unknown Object (File)
Sep 24 2024, 12:56 PM
Unknown Object (File)
Sep 18 2024, 7:21 AM
Unknown Object (File)
Sep 8 2024, 10:48 AM
Unknown Object (File)
Sep 5 2024, 1:41 PM

Details

Reviewers
rwatson
Group Reviewers
network

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

gnn retitled this revision from to Change the default value for drop_synfin to true. There is no reason to accept a packet with both the SYN and FIN flags set. Suggested by: hiren.
gnn updated this object.
gnn edited the test plan for this revision. (Show Details)
rwatson requested changes to this revision.Apr 10 2015, 3:39 PM
rwatson added a reviewer: rwatson.
rwatson added a subscriber: rwatson.

While the behaviour in handling SYN|FIN is undefined by the TCP specification, SYN|FIN probing is widely used in host-stack fingerprinting. It's not clear that fingerprintability is a bug -- and, in fact, it's sometimes relied on as a feature. Disabling responses here will break that feature. I'm not sure I would encourage this change.

This revision now requires changes to proceed.Apr 10 2015, 3:39 PM

Yes my proposed change would prevent fingerprinting. When would fingerprinting be considered a feature by those being fingerprinted?

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/tcp-headers-with-syn-and-fin-flags-set.html

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3041&signatureSubId=0

http://www.symantec.com/connect/articles/abnormal-ip-packets
SYN FIN is probably the best known illegal combination. Remember that SYN is used to start a connection, while FIN is used to end an existing connection. It is nonsensical to perform both actions at the same time. Many scanning tools use SYN FIN packets, because many intrusion detection systems did not catch these in the past, although most do so now. You can safely assume that any SYN FIN packets you see are malicious.

It seems pretty common to drop them, and it only affects active fingerprinting, not passive fingerprinting.

To date, the view we've taken on fingerprinting is that it's nearly impossible actually to prevent fingerprinting as it's effectively a side channel. So, for example, we made a policy decision to continuing reporting not just the SSH protocol version but also FreeBSD version via sshd on port 22, etc, despite a few complaints from users. As such, my casual reading is that flipping this one flag will make little or no actual security difference.

(which is all to say: I guess I don't really mind the change, but I'm not sure it really accomplishes much.)

For me this isn't so much about security, per se, as dropping packets we know to have no use earlier in the process of handling them. Why waste time on packets that have no discernible purpose or future utility? The SYN will just get stuck in the SYN cache and time out, wasting resources.

In D2267#14, @gnn wrote:

For me this isn't so much about security, per se, as dropping packets we know to have no use earlier in the process of handling them. Why waste time on packets that have no discernible purpose or future utility? The SYN will just get stuck in the SYN cache and time out, wasting resources.

Spec is not clear on this subject and there is really no use of such a packet. *And* it takes up space in syn cache.

I fail to understand why we want to keep it.