Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prevent TCP Zero Window DDNS (Sockstress) Attacks

    Firewalling
    2
    2
    3.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NoahVail
      last edited by

      Question:
      Can pfSense help me
      protect my mail server
      from a 12 year old TCP vulnerability?

      Explanation:
      We had a TCP ZeroWindow attack on our mail server yesterday.

      FYI: That's one of the TCP vulnerabilities revealed by the SockStress tool, 2 years ago.
      DHS/CERT called for the network hardware manufacturers to deal with it.  Beats me if anything was done.

      Yesterdays Event:

      1. A Comcast IP attempts to deliver mail to our mail server.

      2. Mail Server checks the Comcast IP address against a DNSBL and the BL returns a positive.
        (Bad IP. No delivery for you.)

      3. My mail server promptly disconnects.

      4. Immediately, that same IP sends an HTTP request with the window size to zero.

      5. Then my server responds w/ a zero-window probe, as req by (RFC 1122) RFC-793 Section 3.7, page 42.
        This establishes a new connection to the spammer's IP Address.

      6. Spamming IP then sends another HTTP request w/ the window size to zero.
        My server responds as before and now has 2 connections to the Spamming IP.

      This little drama is repeated 100-200 times.
      My mail server begins to fret, over so many connections.

      Further Reading:
      ZeroWindow DDNS -> http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html
      Sockstress tool-> http://en.wikipedia.org/wiki/Sockstress
      DHS/CERT Notification -> http://www.kb.cert.org/vuls/id/723308

      Evidence:

      Your thoughts are greatly appreciated.
      NV
      SockStress.PNG
      SockStress.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • S
        scoop
        last edited by

        PF (the packet filter in pfSense) has packet scrubbing for this which is enabled by default. See here.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.