• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Prevent TCP Zero Window DDNS (Sockstress) Attacks

Scheduled Pinned Locked Moved Firewalling
2 Posts 2 Posters 3.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    NoahVail
    last edited by Nov 12, 2010, 4:12 AM Nov 11, 2010, 10:32 PM

    Question:
    Can pfSense help me
    protect my mail server
    from a 12 year old TCP vulnerability?

    Explanation:
    We had a TCP ZeroWindow attack on our mail server yesterday.

    FYI: That's one of the TCP vulnerabilities revealed by the SockStress tool, 2 years ago.
    DHS/CERT called for the network hardware manufacturers to deal with it.  Beats me if anything was done.

    Yesterdays Event:

    1. A Comcast IP attempts to deliver mail to our mail server.

    2. Mail Server checks the Comcast IP address against a DNSBL and the BL returns a positive.
      (Bad IP. No delivery for you.)

    3. My mail server promptly disconnects.

    4. Immediately, that same IP sends an HTTP request with the window size to zero.

    5. Then my server responds w/ a zero-window probe, as req by (RFC 1122) RFC-793 Section 3.7, page 42.
      This establishes a new connection to the spammer's IP Address.

    6. Spamming IP then sends another HTTP request w/ the window size to zero.
      My server responds as before and now has 2 connections to the Spamming IP.

    This little drama is repeated 100-200 times.
    My mail server begins to fret, over so many connections.

    Further Reading:
    ZeroWindow DDNS -> http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html
    Sockstress tool-> http://en.wikipedia.org/wiki/Sockstress
    DHS/CERT Notification -> http://www.kb.cert.org/vuls/id/723308

    Evidence:

    Your thoughts are greatly appreciated.
    NV
    SockStress.PNG
    SockStress.PNG_thumb

    1 Reply Last reply Reply Quote 0
    • S
      scoop
      last edited by Nov 17, 2010, 9:06 AM

      PF (the packet filter in pfSense) has packet scrubbing for this which is enabled by default. See here.

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received