Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
TCP Sequence Number Approximation Based Denial of Service?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tmcca
Tux's lil' helper
Tux's lil' helper


Joined: 24 May 2019
Posts: 120

PostPosted: Mon Dec 02, 2019 8:58 pm    Post subject: TCP Sequence Number Approximation Based Denial of Service? Reply with quote

I am doing a PCI scan and got the following:

TCP Sequence Number Approximation Based Denial of Service

Refer to US-CERT Vulnerability Note VU#415294 and OSVDB Article 4030 to obtain a list of vendors affected by this issue and a note on resolutions (if any) provided by the vendor.

is there a fix for this?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22819

PostPosted: Tue Dec 03, 2019 2:25 am    Post subject: Reply with quote

TCP is not used to access PCI or PCIe devices. Such devices are locally attached, rather than accessed over the network. I suppose you might have a PCI / PCIe card for TCP offload and have that vulnerability in the firmware of the offload card. If so, you need to consult with the maker of that card for a firmware update. Otherwise, please provide more information. What exactly did you do that led to that message? What device(s) do you think have this problem? Why are you asking about those devices on a Gentoo forum?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Dec 03, 2019 6:03 am    Post subject: Reply with quote

Are you running a BGP router?
Back to top
View user's profile Send private message
freke
Veteran
Veteran


Joined: 23 Jan 2003
Posts: 1035
Location: Somewhere in Denmark

PostPosted: Tue Dec 03, 2019 8:22 am    Post subject: Reply with quote

Hu wrote:
TCP is not used to access PCI or PCIe devices. Such devices are locally attached, rather than accessed over the network. I suppose you might have a PCI / PCIe card for TCP offload and have that vulnerability in the firmware of the offload card. If so, you need to consult with the maker of that card for a firmware update. Otherwise, please provide more information. What exactly did you do that led to that message? What device(s) do you think have this problem? Why are you asking about those devices on a Gentoo forum?


I suspect you're talking about different PCIs here ;)

I think the OP talks about something like https://www.qualys.com/apps/pci-compliance/ ?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1791

PostPosted: Tue Dec 03, 2019 5:11 pm    Post subject: Reply with quote

https://lwn.net/Articles/81560/

This link describes more of the issue, and why it is effectively ignored outside of hosts using BGP routers. In short, the reason why it is only a issue for BGP routers, is more of on the importance of the tcp link staying up. For regular tcp links, (like for http, email and such) tcp links are short lived. As the article explains, it is like this, consider if the link for you downloading something gets closed due to this. What are you going to do? Simply try again, simple as that (a whole new link is made). BGP routers on the other hand depend on communicating with neighbor BGP routers, to know how to route stuff. If that link is closed; the router has to trash all those routes (thus killing off part of the network).

Quote:
For those who are in a situation where this sort of attack could pose a threat, there are a few things which can be done, including using IPSec, which is not vulnerable to this sort of problem, or configuring networking to use a smaller window size (but be aware that performance can be reduced). The IETF has also come up with a proposed protocol change which addresses the problem: when a reset packet is received which, while falling within the receive window, does not exactly match the sequence number, the receiving side will send an acknowledgment rather than immediately resetting the connection. That acknowledgment will contain the current sequence number as seen by the side receiving the reset, which will allow the sending of a second reset packet with the exact sequence number.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22819

PostPosted: Wed Dec 04, 2019 1:19 am    Post subject: Reply with quote

freke wrote:
I suspect you're talking about different PCIs here ;)

I think the OP talks about something like https://www.qualys.com/apps/pci-compliance/ ?
I considered that, but I figured anyone working with that PCI would have made a clearer problem statement, so I went with the assumption that the user was just confused and tried to help accordingly.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum