View previous topic :: View next topic |
Author |
Message |
tmcca Tux's lil' helper
Joined: 24 May 2019 Posts: 120
|
Posted: Mon Dec 02, 2019 8:58 pm Post subject: TCP Sequence Number Approximation Based Denial of Service? |
|
|
I am doing a PCI scan and got the following:
TCP Sequence Number Approximation Based Denial of Service
Refer to US-CERT Vulnerability Note VU#415294 and OSVDB Article 4030 to obtain a list of vendors affected by this issue and a note on resolutions (if any) provided by the vendor.
is there a fix for this? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22818
|
Posted: Tue Dec 03, 2019 2:25 am Post subject: |
|
|
TCP is not used to access PCI or PCIe devices. Such devices are locally attached, rather than accessed over the network. I suppose you might have a PCI / PCIe card for TCP offload and have that vulnerability in the firmware of the offload card. If so, you need to consult with the maker of that card for a firmware update. Otherwise, please provide more information. What exactly did you do that led to that message? What device(s) do you think have this problem? Why are you asking about those devices on a Gentoo forum? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Dec 03, 2019 6:03 am Post subject: |
|
|
Are you running a BGP router? |
|
Back to top |
|
|
freke Veteran
Joined: 23 Jan 2003 Posts: 1035 Location: Somewhere in Denmark
|
Posted: Tue Dec 03, 2019 8:22 am Post subject: |
|
|
Hu wrote: | TCP is not used to access PCI or PCIe devices. Such devices are locally attached, rather than accessed over the network. I suppose you might have a PCI / PCIe card for TCP offload and have that vulnerability in the firmware of the offload card. If so, you need to consult with the maker of that card for a firmware update. Otherwise, please provide more information. What exactly did you do that led to that message? What device(s) do you think have this problem? Why are you asking about those devices on a Gentoo forum? |
I suspect you're talking about different PCIs here
I think the OP talks about something like https://www.qualys.com/apps/pci-compliance/ ? |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Tue Dec 03, 2019 5:11 pm Post subject: |
|
|
https://lwn.net/Articles/81560/
This link describes more of the issue, and why it is effectively ignored outside of hosts using BGP routers. In short, the reason why it is only a issue for BGP routers, is more of on the importance of the tcp link staying up. For regular tcp links, (like for http, email and such) tcp links are short lived. As the article explains, it is like this, consider if the link for you downloading something gets closed due to this. What are you going to do? Simply try again, simple as that (a whole new link is made). BGP routers on the other hand depend on communicating with neighbor BGP routers, to know how to route stuff. If that link is closed; the router has to trash all those routes (thus killing off part of the network).
Quote: | For those who are in a situation where this sort of attack could pose a threat, there are a few things which can be done, including using IPSec, which is not vulnerable to this sort of problem, or configuring networking to use a smaller window size (but be aware that performance can be reduced). The IETF has also come up with a proposed protocol change which addresses the problem: when a reset packet is received which, while falling within the receive window, does not exactly match the sequence number, the receiving side will send an acknowledgment rather than immediately resetting the connection. That acknowledgment will contain the current sequence number as seen by the side receiving the reset, which will allow the sending of a second reset packet with the exact sequence number. |
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22818
|
Posted: Wed Dec 04, 2019 1:19 am Post subject: |
|
|
I considered that, but I figured anyone working with that PCI would have made a clearer problem statement, so I went with the assumption that the user was just confused and tried to help accordingly. |
|
Back to top |
|
|
|