git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Eric Dumazet <edumazet@google.com>
	Fri, 5 May 2017 13:56:54 +0000 (06:56 -0700)
committer	David S. Miller <davem@davemloft.net>
	Fri, 5 May 2017 16:00:11 +0000 (12:00 -0400)
commit	84b114b98452c431299d99c135f751659e517acb
tree	53778bfd4964bed65ac40a9c1c57a73f21cb9664	tree \| snapshot
parent	9051247dcf9ecee156d2ddac39a4f1ca591f8428	commit \| diff

tcp: randomize timestamps on syncookies

Whole point of randomization was to hide server uptime, but an attacker
can simply start a syn flood and TCP generates 'old style' timestamps,
directly revealing server jiffies value.

Also, TSval sent by the server to a particular remote address vary
depending on syncookies being sent or not, potentially triggering PAWS
drops for innocent clients.

Lets implement proper randomization, including for SYNcookies.

Also we do not need to export sysctl_tcp_timestamps, since it is not
used from a module.

In v2, I added Florian feedback and contribution, adding tsoff to
tcp_get_cookie_sock().

v3 removed one unused variable in tcp_v4_connect() as Florian spotted.

Fixes: 95a22caee396c ("tcp: randomize tcp timestamp offsets for each connection")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Tested-by: Florian Westphal <fw@strlen.de>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/secure_seq.h		diff \| blob \| history
include/net/tcp.h		diff \| blob \| history
net/core/secure_seq.c		diff \| blob \| history
net/ipv4/syncookies.c		diff \| blob \| history
net/ipv4/tcp_input.c		diff \| blob \| history
net/ipv4/tcp_ipv4.c		diff \| blob \| history
net/ipv6/syncookies.c		diff \| blob \| history
net/ipv6/tcp_ipv6.c		diff \| blob \| history