summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5961.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5961.txt')
-rw-r--r--doc/rfc/rfc5961.txt1067
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc5961.txt b/doc/rfc/rfc5961.txt
new file mode 100644
index 0000000..69170d7
--- /dev/null
+++ b/doc/rfc/rfc5961.txt
@@ -0,0 +1,1067 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) A. Ramaiah
+Request for Comments: 5961 Cisco
+Category: Standards Track R. Stewart
+ISSN: 2070-1721 Huawei
+ M. Dalal
+ Cisco
+ August 2010
+
+
+ Improving TCP's Robustness to Blind In-Window Attacks
+
+Abstract
+
+ TCP has historically been considered to be protected against spoofed
+ off-path packet injection attacks by relying on the fact that it is
+ difficult to guess the 4-tuple (the source and destination IP
+ addresses and the source and destination ports) in combination with
+ the 32-bit sequence number(s). A combination of increasing window
+ sizes and applications using longer-term connections (e.g., H-323 or
+ Border Gateway Protocol (BGP) [RFC4271]) have left modern TCP
+ implementations more vulnerable to these types of spoofed packet
+ injection attacks.
+
+ Many of these long-term TCP applications tend to have predictable IP
+ addresses and ports that makes it far easier for the 4-tuple (4-tuple
+ is the same as the socket pair mentioned in RFC 793) to be guessed.
+ Having guessed the 4-tuple correctly, an attacker can inject a TCP
+ segment with the RST bit set, the SYN bit set or data into a TCP
+ connection by systematically guessing the sequence number of the
+ spoofed segment to be in the current receive window. This can cause
+ the connection to abort or cause data corruption. This document
+ specifies small modifications to the way TCP handles inbound segments
+ that can reduce the chances of a successful attack.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5961.
+
+
+
+
+Ramaiah, et al. Standards Track [Page 1]
+
+RFC 5961 TCP Security August 2010
+
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Applicability Statement ....................................3
+ 1.2. Basic Attack Methodology ...................................4
+ 1.3. Attack probabilities .......................................5
+ 2. Terminology .....................................................7
+ 3. Blind Reset Attack Using the RST Bit ............................7
+ 3.1. Description of the Attack ..................................7
+ 3.2. Mitigation .................................................7
+ 4. Blind Reset Attack Using the SYN Bit ............................9
+ 4.1. Description of the Attack ..................................9
+ 4.2. Mitigation .................................................9
+ 5. Blind Data Injection Attack ....................................10
+ 5.1. Description of the Attack .................................10
+ 5.2. Mitigation ................................................11
+ 6. Suggested Mitigation Strengths .................................12
+ 7. ACK Throttling .................................................12
+ 8. Backward Compatibility and Other Considerations ................13
+ 9. Middlebox Considerations .......................................14
+ 9.1. Middlebox That Resend RSTs ................................14
+ 9.2. Middleboxes That Advance Sequence Numbers .................15
+ 9.3. Middleboxes That Drop the Challenge ACK ...................15
+ 10. Security Considerations .......................................16
+ 11. Contributors ..................................................17
+ 12. Acknowledgments ...............................................17
+ 13. References ....................................................17
+ 13.1. Normative References .....................................17
+ 13.2. Informative References ...................................17
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 2]
+
+RFC 5961 TCP Security August 2010
+
+
+1. Introduction
+
+ TCP [RFC0793] is widely deployed and the most common reliable end-to-
+ end transport protocol used for data communication in today's
+ Internet. Yet, when it was standardized over 20 years ago, the
+ Internet was a different place, lacking many of the threats that are
+ now common. The off-path TCP spoofing attacks, which are seen in the
+ Internet today, fall into this category.
+
+ In a TCP spoofing attack, an off-path attacker crafts TCP packets by
+ forging the IP source and destination addresses as well as the source
+ and destination ports (referred to as a 4-tuple value in this
+ document). The targeted TCP endpoint will then associate such a
+ packet with an existing TCP connection. It needs to be noted that,
+ guessing this 4-tuple value is not always easy for an attacker. But
+ there are some applications (e.g., BGP [RFC4271]) that have a
+ tendency to use the same set(s) of ports on either endpoint, making
+ the odds of correctly guessing the 4-tuple value much easier. When
+ an attacker is successful in guessing the 4-tuple value, one of three
+ types of injection attacks may be waged against a long-lived
+ connection.
+ RST - Where an attacker injects a RST segment hoping to cause the
+ connection to be torn down. "RST segment" here refers to a TCP
+ segment with the RST bit set.
+ SYN - Where an attacker injects a SYN hoping to cause the receiver
+ to believe the peer has restarted and therefore tear down the
+ connection state. "SYN segment" here refers to a TCP segment with
+ SYN bit set.
+ DATA - Where an attacker tries to inject a DATA segment to corrupt
+ the contents of the transmission. "DATA segment" here refers to
+ any TCP segment containing data.
+
+1.1. Applicability Statement
+
+ This document talks about some known in-window attacks and suitable
+ defenses against these. The mitigations suggested in this document
+ SHOULD be implemented in devices that regularly need to maintain TCP
+ connections of the kind most vulnerable to the attacks described in
+ this document. Examples of such TCP connections are the ones that
+ tend to be long-lived and where the connection endpoints can be
+ determined, in cases where no auxiliary anti-spoofing protection
+ mechanisms like TCP MD5 [RFC2385] can be deployed. These mitigations
+ MAY be implemented in other cases.
+
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 3]
+
+RFC 5961 TCP Security August 2010
+
+
+1.2. Basic Attack Methodology
+
+ Focusing upon the RST attack, we examine this attack in more detail
+ to get an overview as to how it works and how this document addresses
+ the issue. For this attack, the goal is for the attacker to cause
+ one of the two endpoints of the connection to incorrectly tear down
+ the connection state, effectively aborting the connection. One of
+ the important things to note is that for the attack to succeed the
+ RST needs to be in the valid receive window. It also needs to be
+ emphasized that the receive window is independent of the current
+ congestion window of the TCP connection. The attacker would try to
+ forge many RST segments to try to cover the space of possible windows
+ by putting out a packet in each potential window. To do this, the
+ attacker needs to have or guess several pieces of information namely:
+
+ 1) The 4-tuple value containing the IP address and TCP port number of
+ both ends of the connection. For one side (usually the server),
+ guessing the port number is a trivial exercise. The client side
+ may or may not be easy for an attacker to guess depending on a
+ number of factors, most notably the operating system and
+ application involved.
+
+ 2) A sequence number that will be used in the RST. This sequence
+ number will be a starting point for a series of guesses to attempt
+ to present a RST segment to a connection endpoint that would be
+ acceptable to it. Any random value may be used to guess the
+ starting sequence number.
+
+ 3) The window size that the two endpoints are using. This value does
+ NOT have to be the exact window size since a smaller value used in
+ lieu of the correct one will just cause the attacker to generate
+ more segments before succeeding in his mischief. Most modern
+ operating systems have a default window size that usually is
+ applied to most connections. Some applications however may change
+ the window size to better suit the needs of the application. So
+ often times the attacker, with a fair degree of certainty (knowing
+ the application that is under attack), can come up with a very
+ close approximation as to the actual window size in use on the
+ connection.
+
+ After assembling the above set of information, the attacker begins
+ sending spoofed TCP segments with the RST bit set and a guessed TCP
+ sequence number. Each time a new RST segment is sent, the sequence
+ number guess is incremented by the window size. The feasibility of
+ this methodology (without mitigations) was first shown in [SITW].
+ This is because [RFC0793] specifies that any RST within the current
+ window is acceptable. Also, [RFC4953] talks about the probability of
+ a successful attack with varying window sizes and bandwidth.
+
+
+
+Ramaiah, et al. Standards Track [Page 4]
+
+RFC 5961 TCP Security August 2010
+
+
+ A slight enhancement to TCP's segment processing rules can be made,
+ which makes such an attack much more difficult to accomplish. If the
+ receiver examines the incoming RST segment and validates that the
+ sequence number exactly matches the sequence number that is next
+ expected, then such an attack becomes much more difficult than
+ outlined in [SITW] (i.e., the attacker would have to generate 1/2 the
+ entire sequence space, on average). This document will discuss the
+ exact details of what needs to be changed within TCP's segment
+ processing rules to mitigate all three types of attacks (RST, SYN,
+ and DATA).
+
+1.3. Attack probabilities
+
+ Every application has control of a number of factors that drastically
+ affect the probability of a successful spoofing attack. These
+ factors include such things as:
+
+ Window Size - Normally settable by the application but often times
+ defaulting to 32,768 or 65,535 depending upon the operating system
+ (see Figure 6 of [Medina05]).
+
+ Server Port number - This value is normally a fixed value so that a
+ client will know where to connect to the peer. Thus, this value
+ normally provides no additional protection.
+
+ Client Port number - This value may be a random ephemeral value, if
+ so, this makes a spoofing attack more difficult. There are some
+ clients, however, that for whatever reason either pick a fixed
+ client port or have a very guessable one (due to the range of
+ ephemeral ports available with their operating system or other
+ application considerations) for such applications a spoofing
+ attack becomes less difficult.
+
+ For the purposes of the rest of this discussion we will assume that
+ the attacker knows the 4-tuple values. This assumption will help us
+ focus on the effects of the window size versus the number of TCP
+ packets an attacker must generate. This assumption will rarely be
+ true in the real Internet since at least the client port number will
+ provide us with some amount of randomness (depending on the operating
+ system).
+
+ To successfully inject a spoofed packet (RST, SYN, or DATA), in the
+ past, the entire sequence space (i.e., 2^32) was often considered
+ available to make such an attack unlikely. [SITW] demonstrated that
+ this assumption was incorrect and that instead of (1/2 * 2^32)
+ packets (assuming a random distribution), (1/2 * (2^32/window))
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 5]
+
+RFC 5961 TCP Security August 2010
+
+
+ packets are required. In other words, the mean number of tries
+ needed to inject a RST segment is (2^31/window) rather than the 2^31
+ assumed before.
+
+ Substituting numbers into this formula, we see that for a window size
+ of 32,768, an average of 65,536 packets would need to be transmitted
+ in order to "spoof" a TCP segment that would be acceptable to a TCP
+ receiver. A window size of 65,535 reduces this even further to
+ 32,768 packets. At today's access bandwidths, an attack of that size
+ is feasible.
+
+ With rises in bandwidth to both the home and office, it can only be
+ expected that the values for default window sizes will continue to
+ rise in order to better take advantage of the newly available
+ bandwidth. It also needs to be noted that this attack can be
+ performed in a distributed fashion in order potentially gain access
+ to more bandwidth.
+
+ As we can see from the above discussion this weakness lowers the bar
+ quite considerably for likely attacks. But there is one additional
+ dependency that is the duration of the TCP connection. A TCP
+ connection that lasts only a few brief packets, as often is the case
+ for web traffic, would not be subject to such an attack since the
+ connection may not be established long enough for an attacker to
+ generate enough traffic. However, there is a set of applications,
+ such as BGP [RFC4271], that is judged to be potentially most affected
+ by this vulnerability. BGP relies on a persistent TCP session
+ between BGP peers. Resetting the connection can result in term-
+ medium unavailability due to the need to rebuild routing tables and
+ route flapping; see [NISCC] for further details.
+
+ For applications that can use the TCP MD5 option [RFC2385], such as
+ BGP, that option makes the attacks described in this specification
+ effectively impossible. However, some applications or
+ implementations may find that option expensive to implement.
+
+ There are alternative protections against the threats that this
+ document addresses. For further details regarding the attacks and
+ the existing techniques, please refer to [RFC4953]. It also needs to
+ be emphasized that, as suggested in [TSVWG-PORT] and [RFC1948], port
+ randomization and initial sequence number (ISN) randomization would
+ help improve the robustness of the TCP connection against off-path
+ attacks.
+
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 6]
+
+RFC 5961 TCP Security August 2010
+
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119]. TCP
+ terminology should be interpreted as described in [RFC0793].
+
+3. Blind Reset Attack Using the RST Bit
+
+3.1. Description of the Attack
+
+ As described in the introduction, it is possible for an attacker to
+ generate a RST segment that would be acceptable to a TCP receiver by
+ guessing in-window sequence numbers. In particular [RFC0793], page
+ 37, states the following:
+
+ In all states except SYN-SENT, all reset (RST) segments are
+ validated by checking their SEQ-fields [sequence numbers]. A
+ reset is valid if its sequence number is in the window. In the
+ SYN-SENT state (a RST received in response to an initial SYN), the
+ RST is acceptable if the ACK field acknowledges the SYN.
+
+3.2. Mitigation
+
+ [RFC0793] currently requires handling of a segment with the RST bit
+ when in a synchronized state to be processed as follows:
+
+ 1) If the RST bit is set and the sequence number is outside the
+ current receive window (SEG.SEQ <= RCV.NXT || SEG.SEQ > RCV.NXT+
+ RCV.WND), silently drop the segment.
+
+ 2) If the RST bit is set and the sequence number is acceptable, i.e.,
+ (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND), then reset the connection.
+
+ Instead, implementations SHOULD implement the following steps in
+ place of those specified in [RFC0793] (as listed above).
+
+ 1) If the RST bit is set and the sequence number is outside the
+ current receive window, silently drop the segment.
+
+ 2) If the RST bit is set and the sequence number exactly matches the
+ next expected sequence number (RCV.NXT), then TCP MUST reset the
+ connection.
+
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 7]
+
+RFC 5961 TCP Security August 2010
+
+
+ 3) If the RST bit is set and the sequence number does not exactly
+ match the next expected sequence value, yet is within the current
+ receive window (RCV.NXT < SEG.SEQ < RCV.NXT+RCV.WND), TCP MUST
+ send an acknowledgment (challenge ACK):
+
+ <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
+
+ After sending the challenge ACK, TCP MUST drop the unacceptable
+ segment and stop processing the incoming packet further. Further
+ segments destined to this connection will be processed as normal.
+
+ The modified RST segment processing would thus become:
+
+ In all states except SYN-SENT, all reset (RST) segments are validated
+ by checking their SEQ-fields [sequence numbers]. A reset is valid if
+ its sequence number exactly matches the next expected sequence
+ number. If the RST arrives and its sequence number field does NOT
+ match the next expected sequence number but is within the window,
+ then the receiver should generate an ACK. In all other cases, where
+ the SEQ-field does not match and is outside the window, the receiver
+ MUST silently discard the segment.
+
+ In the SYN-SENT state (a RST received in response to an initial SYN),
+ the RST is acceptable if the ACK field acknowledges the SYN. In all
+ other cases the receiver MUST silently discard the segment.
+
+ With the above slight change to the TCP state machine, it becomes
+ much harder for an attacker to generate an acceptable reset segment.
+
+ In cases where the remote peer did generate a RST, but it fails to
+ meet the above criteria (the RST sequence number was within the
+ window but NOT the exact expected sequence number), when the
+ challenge ACK is sent back, it will no longer have the transmission
+ control block (TCB) related to this connection and hence as per
+ [RFC0793], the remote peer will send a second RST back. The sequence
+ number of the second RST is derived from the acknowledgment number of
+ the incoming ACK. This second RST, if it reaches the sender, will
+ cause the connection to be aborted since the sequence number would
+ now be an exact match.
+
+ A valid RST received out of order would still generate a challenge
+ ACK in response. If this RST happens to be a genuine one, the other
+ end would send an RST with an exact sequence number match that would
+ cause the connection to be dropped.
+
+ Note that the above mitigation may cause a non-amplification ACK
+ exchange. This concern is discussed in Section 10.
+
+
+
+
+Ramaiah, et al. Standards Track [Page 8]
+
+RFC 5961 TCP Security August 2010
+
+
+4. Blind Reset Attack Using the SYN Bit
+
+4.1. Description of the Attack
+
+ The analysis of the reset attack using the RST bit highlights another
+ possible avenue for a blind attacker using a similar set of sequence
+ number guessing. Instead of using the RST bit, an attacker can use
+ the SYN bit with the exact same semantics to tear down a connection.
+
+4.2. Mitigation
+
+ [RFC0793] currently requires handling of a segment with the SYN bit
+ set in the synchronized state to be as follows:
+
+ 1) If the SYN bit is set and the sequence number is outside the
+ expected window, send an ACK back to the sender.
+
+ 2) If the SYN bit is set and the sequence number is acceptable, i.e.,
+ (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND), then send a RST segment to
+ the sender.
+
+ Instead, the handling of the SYN in the synchronized state SHOULD be
+ performed as follows:
+
+ 1) If the SYN bit is set, irrespective of the sequence number, TCP
+ MUST send an ACK (also referred to as challenge ACK) to the remote
+ peer:
+
+ <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
+
+ After sending the acknowledgment, TCP MUST drop the unacceptable
+ segment and stop processing further.
+
+ By sending an ACK, the remote peer is challenged to confirm the loss
+ of the previous connection and the request to start a new connection.
+ A legitimate peer, after restart, would not have a TCB in the
+ synchronized state. Thus, when the ACK arrives, the peer should send
+ a RST segment back with the sequence number derived from the ACK
+ field that caused the RST.
+
+ This RST will confirm that the remote peer has indeed closed the
+ previous connection. Upon receipt of a valid RST, the local TCP
+ endpoint MUST terminate its connection. The local TCP endpoint
+ should then rely on SYN retransmission from the remote end to
+ re-establish the connection.
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 9]
+
+RFC 5961 TCP Security August 2010
+
+
+ A spoofed SYN, on the other hand, will then have generated an
+ additional ACK that the peer will discard as a duplicate ACK and will
+ not affect the established connection.
+
+ Note that this mitigation does leave one corner case un-handled,
+ which will prevent the reset of a connection when it should be reset
+ (i.e., it is a non-spoofed SYN wherein a peer really did restart).
+ This problem occurs when the restarting host chooses the exact same
+ IP address and port number that it was using prior to its restart.
+ By chance, the restarted host must also choose an initial sequence
+ number of exactly (RCV.NXT - 1) of the remote peer that is still in
+ the established state. Such a case would cause the receiver to
+ generate a "challenge" ACK as described above. But since the ACK
+ would be within the outgoing connections window, the inbound ACK
+ would be acceptable, and the sender of the SYN will do nothing with
+ the response ACK. This sequence will continue as the SYN sender
+ continually times out and retransmits the SYN until such time as the
+ connection attempt fails.
+
+ This corner case is a result of the [RFC0793] specification and is
+ not introduced by these new requirements.
+
+ Note that the above mitigation may cause a non-amplification ACK
+ exchange. This concern is discussed in Section 10.
+
+5. Blind Data Injection Attack
+
+5.1. Description of the Attack
+
+ A third type of attack is also highlighted by both the RST and SYN
+ attacks. It is also possible to inject data into a TCP connection by
+ simply guessing a sequence number within the current receive window
+ of the victim. The ACK value of any data segment is considered valid
+ as long as it does not acknowledge data ahead of the next segment to
+ send. In other words, an ACK value is acceptable if it is
+ ((SND.UNA-(2^31-1)) <= SEG.ACK <= SND.NXT). The (2^31 - 1) in the
+ above inequality takes into account the fact that comparisons on TCP
+ sequence and acknowledgment numbers is done using the modulo 32-bit
+ arithmetic to accommodate the number wraparound. This means that an
+ attacker has to guess two ACK values with every guessed sequence
+ number so that the chances of successfully injecting data into a
+ connection are 1 in ( 1/2 (2^32 / RCV.WND) * 2). Thus, the mean
+ number of tries needed to inject data successfully is
+ 1/2 (2*2^32/RWND) = 2^32/RCV.WND.
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 10]
+
+RFC 5961 TCP Security August 2010
+
+
+ When an attacker successfully injects data into a connection, the
+ data will sit in the receiver's re-assembly queue until the peer
+ sends enough data to bridge the gap between the RCV.NXT value and the
+ injected data. At that point, one of two things will occur:
+
+ 1) A packet war will ensue with the receiver indicating that it has
+ received data up until RCV.NXT (which includes the attacker's
+ data) and the sender sending an ACK with an acknowledgment number
+ less than RCV.NXT.
+
+ 2) The sender will send enough data to the peer that will move
+ RCV.NXT even further along past the injected data.
+
+ Depending upon the TCP implementation in question and the TCP traffic
+ characteristics at that time, data corruption may result. In case
+ (a), the connection will eventually be reset by one of the sides
+ unless the sender produces more data that will transform the ACK war
+ into case (b). The reset will usually occur via User Time Out (UTO)
+ (see section 4.2.3.5 of [RFC1122]).
+
+ Note that the protections illustrated in this section neither cause
+ an ACK war nor prevent one from occurring if data is actually
+ injected into a connection. The ACK war is a product of the attack
+ itself and cannot be prevented (other than by preventing the data
+ from being injected).
+
+5.2. Mitigation
+
+ All TCP stacks MAY implement the following mitigation. TCP stacks
+ that implement this mitigation MUST add an additional input check to
+ any incoming segment. The ACK value is considered acceptable only if
+ it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
+ SND.NXT). All incoming segments whose ACK value doesn't satisfy the
+ above condition MUST be discarded and an ACK sent back. It needs to
+ be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
+ duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
+ acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
+ ACK, drop the segment, and return". The "ignored" above implies that
+ the processing of the incoming data segment continues, which means
+ the ACK value is treated as acceptable. This mitigation makes the
+ ACK check more stringent since any ACK < SND.UNA wouldn't be
+ accepted, instead only ACKs that are in the range ((SND.UNA -
+ MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
+
+ A new state variable MAX.SND.WND is defined as the largest window
+ that the local sender has ever received from its peer. This window
+ may be scaled to a value larger than 65,535 bytes ([RFC1323]). This
+ small check will reduce the vulnerability to an attacker guessing a
+
+
+
+Ramaiah, et al. Standards Track [Page 11]
+
+RFC 5961 TCP Security August 2010
+
+
+ valid sequence number, since, not only one must guess the in-window
+ sequence number, but also guess a proper ACK value within a scoped
+ range. This mitigation reduces, but does not eliminate, the ability
+ to generate false segments. It does however reduce the probability
+ that invalid data will be injected.
+
+ Implementations can also chose to hard code the MAX.SND.WND value to
+ the maximum permissible window size, i.e., 65535 in the absence of
+ window scaling. In the presence of the window scaling option, the
+ value becomes (MAX.SND.WND << Snd.Wind.Scale).
+
+ This mitigation also helps in improving robustness on accepting
+ spoofed FIN segments (FIN attacks). Among other things, this
+ mitigation requires that the attacker also needs to get the
+ acknowledgment number to fall in the range mentioned above in order
+ to successfully spoof a FIN segment leading to the closure of the
+ connection. Thus, this mitigation greatly improves the robustness to
+ spoofed FIN segments.
+
+ Note that the above mitigation may cause a non-amplification ACK
+ exchange. This concern is discussed in Section 10.
+
+6. Suggested Mitigation Strengths
+
+ As described in the above sections, recommendation levels for RST,
+ SYN, and DATA are tagged as SHOULD, SHOULD, and MAY, respectively.
+ The reason that DATA mitigation is tagged as MAY, even though it
+ increased the TCP robustness in general is because, the DATA
+ injection is perceived to be more difficult (twice as unlikely) when
+ compared to RST and SYN counterparts. However, it needs to be noted
+ that all the suggested mitigations improve TCP's robustness in
+ general and hence the choice of implementing some or all mitigations
+ recommended in the document is purely left to the implementer.
+
+7. ACK Throttling
+
+ In order to alleviate multiple RSTs/SYNs from triggering multiple
+ challenge ACKs, an ACK throttling mechanism is suggested as follows:
+
+ 1) The system administrator can configure the number of challenge
+ ACKs that can be sent out in a given interval. For example, in
+ any 5 second window, no more than 10 challenge ACKs should be
+ sent.
+
+ 2) The values for both the time and number of ACKs SHOULD be tunable
+ by the system administrator to accommodate different perceived
+ levels of threat and/or system resources.
+
+
+
+
+Ramaiah, et al. Standards Track [Page 12]
+
+RFC 5961 TCP Security August 2010
+
+
+ It should be noted that these numbers are empirical in nature and
+ have been obtained from the RST throttling mechanisms existing in
+ some implementations. Also, note that no timer is needed to
+ implement the above mechanism, instead a timestamp and a counter can
+ be used.
+
+ An implementation SHOULD include an ACK throttling mechanism to be
+ conservative. While we have not encountered a case where the lack of
+ ACK throttling can be exploited, as a fail-safe mechanism we
+ recommend its use. An implementation may take an excessive number of
+ invocations of the throttling mechanism as an indication that network
+ conditions are unusual or hostile.
+
+ An administrator who is more concerned about protecting his bandwidth
+ and CPU utilization may set smaller ACK throttling values whereas an
+ administrator who is more interested in faster cleanup of stale
+ connections (i.e., concerned about excess TCP state) may decide to
+ set a higher value thus allowing more RST's to be processed in any
+ given time period.
+
+ The time limit SHOULD be tunable to help timeout brute force attacks
+ faster than a potential legitimate flood of RSTs.
+
+8. Backward Compatibility and Other Considerations
+
+ All of the new required mitigation techniques in this document are
+ totally compatible with existing ([RFC0793]) compliant TCP
+ implementations as this document introduces no new assumptions or
+ conditions.
+
+ There is a corner scenario in the above mitigations that will require
+ more than one round-trip time to successfully abort the connection as
+ per the figure below. This scenario is similar to the one in which
+ the original RST was lost in the network.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 13]
+
+RFC 5961 TCP Security August 2010
+
+
+ TCP A TCP B
+ 1.a. ESTAB <-- <SEQ=300><ACK=101><CTL=ACK><DATA> <-- ESTAB
+ b. (delayed) ... <SEQ=400><ACK=101><CTL=ACK><DATA> <-- ESTAB
+ c. (in flight) ... <SEQ=500><ACK=101><CTL=RST> <-- CLOSED
+ 2. ESTAB --> <SEQ=101><ACK=400><CTL=ACK> --> CLOSED
+ (ACK for 1.a)
+ ... <SEQ=400><ACK=0><CTL=RST> <-- CLOSED
+ 3. CHALLENGE --> <SEQ=101><ACK=400><CTL=ACK> --> CLOSED
+ (for 1.c)
+ ... <SEQ=400><ACK=0><CTL=RST> <-- RESPONSE
+ 4.a. ESTAB <-- <SEQ=400><ACK=101><CTL=ACK><DATA> 1.b reaches A
+ b. ESTAB --> <SEQ=101><ACK=500><CTL=ACK>
+ c. (in flight) ... <SEQ=500><ACK=0><CTL=RST> <-- CLOSED
+ 5. RESPONSE arrives at A, but dropped since its outside of window.
+ 6. ESTAB <-- <SEQ=500><ACK=0><CTL=RST> 4.c reaches A
+ 7. CLOSED CLOSED
+
+ For the mitigation to be maximally effective against the
+ vulnerabilities discussed in this document, both ends of the TCP
+ connection need to have the fix. Although, having the mitigations at
+ one end might prevent that end from being exposed to the attack, the
+ connection is still vulnerable at the other end.
+
+9. Middlebox Considerations
+
+9.1. Middlebox That Resend RSTs
+
+ Consider a middlebox M-B tracking connections between two TCP end
+ hosts E-A and E-C. If E-C sends a RST with a sequence number that is
+ within the window but not an exact match to reset the connection and
+ M-B does not have the fix recommended in this document, it may clear
+ the connection and forward the RST to E-A saving an incorrect
+ sequence number. If E-A does not have the fix, the connection would
+ get cleared as required. However, if E-A does have the required fix,
+ it will send a challenge ACK to E-C. M-B, being a middlebox, may
+ intercept this ACK and resend the RST on behalf of E-C with the old
+ sequence number. This RST will, again, not be acceptable and may
+ trigger a challenge ACK.
+
+ The above situation may result in a RST/ACK war. However, we believe
+ that if such a case exists in the Internet, the middlebox is
+ generating packets a conformant TCP endpoint would not generate.
+ [RFC0793] dictates that the sequence number of a RST has to be
+ derived from the acknowledgment number of the incoming ACK segment.
+ It is outside the scope of this document to suggest mitigations to
+ the ill-behaved middleboxes.
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 14]
+
+RFC 5961 TCP Security August 2010
+
+
+ Consider a similar scenario where the RST from M-B to E-A gets lost,
+ E-A will continue to hold the connection and E-A might send an ACK an
+ arbitrary time later after the connection state was destroyed at M-B.
+ For this case, M-B will have to cache the RST for an arbitrary amount
+ of time until it is confirmed that the connection has been cleared at
+ E-A.
+
+9.2. Middleboxes That Advance Sequence Numbers
+
+ Some middleboxes may compute RST sequence numbers at the higher end
+ of the acceptable window. The scenario is the same as the earlier
+ case, but in this case instead of sending the cached RST, the
+ middlebox (M-B) sends a RST that computes its sequence number as the
+ sum of the acknowledgment field in the ACK and the window advertised
+ by the ACK that was sent by E-A to challenge the RST as depicted
+ below. The difference in the sequence numbers between step 1 and 2
+ below is due to data lost in the network.
+
+ TCP A Middlebox
+
+ 1. ESTABLISHED <-- <SEQ=500><ACK=100><CTL=RST> <-- CLOSED
+
+ 2. ESTABLISHED --> <SEQ=100><ACK=300><WND=500><CTL=ACK> --> CLOSED
+
+ 3. ESTABLISHED <-- <SEQ=800><ACK=100><CTL=RST> <-- CLOSED
+
+ 4. ESTABLISHED --> <SEQ=100><ACK=300><WND=500><CTL=ACK> --> CLOSED
+
+ 5. ESTABLISHED <-- <SEQ=800><ACK=100><CTL=RST> <-- CLOSED
+
+ Although the authors are not aware of an implementation that does the
+ above, it could be mitigated by implementing the ACK throttling
+ mechanism described earlier.
+
+9.3. Middleboxes That Drop the Challenge ACK
+
+ It also needs to be noted that, some middleboxes (Firewalls/NATs)
+ that don't have the fix recommended in the document, may drop the
+ challenge ACK. This can happen because, the original RST segment
+ that was in window had already cleared the flow state pertaining to
+ the TCP connection in the middlebox. In such cases, the end hosts
+ that have implemented the RST mitigation described in this document,
+ will have the TCP connection left open. This is a corner case and
+ can go away if the middlebox is conformant with the changes proposed
+ in this document.
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 15]
+
+RFC 5961 TCP Security August 2010
+
+
+10. Security Considerations
+
+ These changes to the TCP state machine do NOT protect an
+ implementation from on-path attacks. It also needs to be emphasized
+ that while mitigations within this document make it harder for off-
+ path attackers to inject segments, it does NOT make it impossible.
+ The only way to fully protect a TCP connection from both on- and off-
+ path attacks is by using either IPsec Authentication Header (AH)
+ [RFC4302] or IPsec Encapsulating Security Payload (ESP) [RFC4303].
+
+ Implementers also should be aware that the attacks detailed in this
+ specification are not the only attacks available to an off-path
+ attacker and that the counter measures described herein are not a
+ comprehensive defense against such attacks.
+
+ In particular, administrators should be aware that forged ICMP
+ messages provide off-path attackers the opportunity to disrupt
+ connections or degrade service. Such attacks may be subject to even
+ less scrutiny than the TCP attacks addressed here, especially in
+ stacks not tuned for hostile environments. It is important to note
+ that some ICMP messages, validated or not, are key to the proper
+ function of TCP. Those ICMP messages used to properly set the path
+ maximum transmission unit are the most obvious example. There are a
+ variety of ways to choose which, if any, ICMP messages to trust in
+ the presence of off-path attackers and choosing between them depends
+ on the assumptions and guarantees developers and administrators can
+ make about their network. This specification does not attempt to do
+ more than note this and related issues. Unless implementers address
+ spoofed ICMP messages [RFC5927], the mitigations specified in this
+ document may not provide the desired protection level.
+
+ In any case, this RFC details only part of a complete strategy to
+ prevent off-path attackers from disrupting services that use TCP.
+ Administrators and implementers should consider the other attack
+ vectors and determine appropriate mitigations in securing their
+ systems.
+
+ Another notable consideration is that a reflector attack is possible
+ with the required RST/SYN mitigation techniques. In this attack, an
+ off-path attacker can cause a victim to send an ACK segment for each
+ spoofed RST/SYN segment that lies within the current receive window
+ of the victim. It should be noted, however, that this does not cause
+ any amplification since the attacker must generate a segment for each
+ one that the victim will generate.
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 16]
+
+RFC 5961 TCP Security August 2010
+
+
+11. Contributors
+
+ Mitesh Dalal and Amol Khare of Cisco Systems came up with the
+ solution for the RST/SYN attacks. Anantha Ramaiah and Randall
+ Stewart of Cisco Systems discovered the data injection vulnerability
+ and together with Patrick Mahan and Peter Lei of Cisco Systems found
+ solutions for the same. Paul Goyette, Mark Baushke, Frank
+ Kastenholz, Art Stine, and David Wang of Juniper Networks provided
+ the insight that apart from RSTs, SYNs could also result in
+ formidable attacks. Shrirang Bage of Cisco Systems, Qing Li and
+ Preety Puri of Wind River Systems, and Xiaodan Tang of QNX Software
+ along with the folks above helped in ratifying and testing the
+ interoperability of the suggested solutions.
+
+12. Acknowledgments
+
+ Special thanks to Mark Allman, Ted Faber, Steve Bellovin, Vern
+ Paxson, Allison Mankin, Sharad Ahlawat, Damir Rajnovic, John Wong,
+ Joe Touch, Alfred Hoenes, Andre Oppermann, Fernando Gont, Sandra
+ Murphy, Brian Carpenter, Cullen Jennings, and other members of the
+ tcpm WG for suggestions and comments. ACK throttling was introduced
+ to this document by combining the suggestions from the tcpm working
+ group.
+
+13. References
+
+13.1. Normative References
+
+ [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
+ RFC 793, September 1981.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+13.2. Informative References
+
+ [Medina05] Medina, A., Allman, M., and S. Floyd, "Measuring the
+ Evolution of Transport Protocols in the Internet", ACM
+ Computer Communication Review, 35(2), April 2005,
+ <http://www.icir.org/mallman/papers/tcp-evo-ccr05.ps>.
+
+ [NISCC] NISCC, "NISCC Vulnerability Advisory 236929 -
+ Vulnerability Issues in TCP".
+
+ [RFC1122] Braden, R., "Requirements for Internet Hosts -
+ Communication Layers", STD 3, RFC 1122, October 1989.
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 17]
+
+RFC 5961 TCP Security August 2010
+
+
+ [RFC1323] Jacobson, V., Braden, B., and D. Borman, "TCP
+ Extensions for High Performance", RFC 1323, May 1992.
+
+ [RFC1948] Bellovin, S., "Defending Against Sequence Number
+ Attacks", RFC 1948, May 1996.
+
+ [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP
+ MD5 Signature Option", RFC 2385, August 1998.
+
+ [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
+ Protocol 4 (BGP-4)", RFC 4271, January 2006.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
+ December 2005.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
+ RFC 4303, December 2005.
+
+ [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks",
+ RFC 4953, July 2007.
+
+ [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
+ July 2010.
+
+ [SITW] Watson, P., "Slipping in the Window: TCP Reset
+ attacks", Presentation at 2004 CanSecWest,
+ <http://cansecwest.com/csw04archive.html>.
+
+ [TSVWG-PORT] Larsen, M. and F. Gont, "Transport Protocol Port
+ Randomization Recommendations", Work in Progress,
+ August 2010.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 18]
+
+RFC 5961 TCP Security August 2010
+
+
+Authors' Addresses
+
+ Anantha Ramaiah
+ Cisco Systems
+ 170 Tasman Drive
+ San Jose, CA 95134
+ USA
+
+ Phone: +1 (408) 525-6486
+ EMail: ananth@cisco.com
+
+
+ Randall R. Stewart
+ Huawei
+ 148 Crystal Cove Ct
+ Chapin, SC 29036
+ USA
+
+ Phone: +1 (803) 345-0369
+ EMail: rstewart@huawei.com
+
+
+ Mitesh Dalal
+ Cisco Systems
+ 170 Tasman Drive
+ San Jose, CA 95134
+ USA
+
+ Phone: +1 (408) 853-5257
+ EMail: mdalal@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Ramaiah, et al. Standards Track [Page 19]
+