Prevent TCP Zero Window DDNS (Sockstress) Attacks
-
Question:
Can pfSense help me
protect my mail server
from a 12 year old TCP vulnerability?Explanation:
We had a TCP ZeroWindow attack on our mail server yesterday.FYI: That's one of the TCP vulnerabilities revealed by the SockStress tool, 2 years ago.
DHS/CERT called for the network hardware manufacturers to deal with it. Beats me if anything was done.Yesterdays Event:
-
A Comcast IP attempts to deliver mail to our mail server.
-
Mail Server checks the Comcast IP address against a DNSBL and the BL returns a positive.
(Bad IP. No delivery for you.) -
My mail server promptly disconnects.
-
Immediately, that same IP sends an HTTP request with the window size to zero.
-
Then my server responds w/ a zero-window probe, as req by (RFC 1122) RFC-793 Section 3.7, page 42.
This establishes a new connection to the spammer's IP Address. -
Spamming IP then sends another HTTP request w/ the window size to zero.
My server responds as before and now has 2 connections to the Spamming IP.
This little drama is repeated 100-200 times.
My mail server begins to fret, over so many connections.Further Reading:
ZeroWindow DDNS -> http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html
Sockstress tool-> http://en.wikipedia.org/wiki/Sockstress
DHS/CERT Notification -> http://www.kb.cert.org/vuls/id/723308Evidence:
Your thoughts are greatly appreciated.
NV
-
-
PF (the packet filter in pfSense) has packet scrubbing for this which is enabled by default. See here.