Red Hat would like to thank CERT-FI and Outpost24 AB for reporting these issues.

Exploiting these flaws requires the attacker to have access to a subnet where they can make use of routable IP addresses. These need to be different from the IP address being used by the attacker's machine. The attacking system must send from IP addresses that other hosts are not competing for, and it must guarantee that its ARP poisoning is completely effective. The attacking system must create an attack that can not only generate the three-way handshake but can avoid sending RST frames in a response.

Denial of service flaws in the way TCP connections are handled have been disclosed by Robert E. Lee and the late Jack C. Louis of Outpost24 AB . These flaws allow an attacker to create crafted TCP connections, which can eventually exhaust the receiver's system resources and lead to a denial of service. These flaws are assigned CVE-2008-4609 (Red Hat Bugzilla bug 465932 ). Details of the attacks are described in the CERT-FI advisory .

Resolution

These attacks target design limitations of the TCP protocol. Due to the upstream decision not to release updates, Red Hat does not plan to release updates to resolve these issues; however, the effects of these attacks can be reduced.

The following iptables example limits the number of new connections over a time period. It checks if packets are part of an existing or associated connection. If they are, the packets are accepted. Otherwise, if 10 connection attempts to any TCP port are received within one minute, they are dropped:

# The following rule accepts a packet that is associated with an established connection, # or that is starting a new connection that is associated with an existing connection: iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # The following rule updates the recent list if the packet is from a new connection, and # drops the packet if it is above the limit: iptables -A INPUT -p tcp -m recent --update --seconds 60 --hitcount 10 -j DROP # The following rule tracks and accepts the packet if it was a new connection and was not # above the limit set in the previous rule: iptables -A INPUT -p tcp -m recent --set

This example is a connection rate limit, not a concurrent connection count limit. Simply closing existing connections is not enough to enable new ones as it is the number of connections over the time period that matters. This example can be extended with TCP matches to separate limits per destination port. This is only an example. Mitigation should be dealt with on a site-by-site basis.

Once you know you are under attack, block the IP address or subnet since this will be revealed in the attack packets. Furthermore, contact your upstream internet provider to get those IP addresses blocked at their ingress.

The iptables package shipped with Red Hat Enterprise Linux 3 does not have the libipt_recent module; therefore, the above iptables example cannot be used. If you use Red Hat Enterprise Linux 3, you need to contact your upstream internet provider to have the attacker's IP addresses blocked at their ingress, as noted above.

Note: Support for connlimit in the kernel was added in Red Hat Enterprise Linux 5 via the Red Hat Security Advisory RHSA-2009:1243. At the time this article was published, a bug prevented connlimit from working correctly. This bug has been addressed for Red Hat Enterprise Linux 5 via the Red Hat Bug Fix Advisory RHBA-2009:1539, and for Red Hat Enterprise MRG via the Red Hat Security Advisory RHSA-2009:1540. This bug is still present on Red Hat Enterprise Linux 3 and 4.

Further Assistance

If you require assistance with mitigating this issue, please contact Red Hat support.

Revision History

Update 14th September 2009: This article has been updated to include explanations of the example iptables rules in the Mitigation section.

Update 5th October 2009: This article has been updated with clearer iptables rules to avoid confusion (the changed rules use the same logic as the previous rules).

Update 9th April 2010: This article has been updated to include links to errata (for Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG) that address a bug that prevented connlimit from working correctly.

Update 21st May 2010: This article has been updated to note that the iptables example does not work on Red Hat Enterprise Linux 3.

Update 23rd November 2010: This article has been updated with the correct Red Hat support link in the "Further Assistance" section.