sysctl.conf: drop RST packets for sockets in TIME-WAIT state
Commit Message
RFC 1337 describes various TCP (side channel) attacks against
prematurely closed connections stalling in TIME-WAIT state, such as DoS
or injecting arbitrary TCP segments, and recommends to silently discard
RST packets for sockets in this state.
While applications still tied to such sockets should tolerate invalid
input (thanks to Jon Postel), there is little legitimate reason to send
such RST packets altogether.
At the time of writing, no collateral damage related to active RFC 1337
implementations is known. Measuerements in productive environments did
not reveal any side effects either, which is why I consider enabling RFC
1337 implementation to be a safe change.
See also: https://tools.ietf.org/html/rfc1337
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/etc/sysctl.conf | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
Comments
Thank you.
Would you please propose the same for IPFire 3?
-Michael
> On 30 Sep 2020, at 15:46, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> RFC 1337 describes various TCP (side channel) attacks against
> prematurely closed connections stalling in TIME-WAIT state, such as DoS
> or injecting arbitrary TCP segments, and recommends to silently discard
> RST packets for sockets in this state.
>
> While applications still tied to such sockets should tolerate invalid
> input (thanks to Jon Postel), there is little legitimate reason to send
> such RST packets altogether.
>
> At the time of writing, no collateral damage related to active RFC 1337
> implementations is known. Measuerements in productive environments did
> not reveal any side effects either, which is why I consider enabling RFC
> 1337 implementation to be a safe change.
>
> See also: https://tools.ietf.org/html/rfc1337
>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/etc/sysctl.conf | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 7e7ebee44..d48c7734e 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -32,7 +32,7 @@ net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1
>
> # Enable netfilter accounting
> -net.netfilter.nf_conntrack_acct=1
> +net.netfilter.nf_conntrack_acct = 1
>
> # Disable netfilter on bridges.
> net.bridge.bridge-nf-call-ip6tables = 0
> @@ -86,10 +86,15 @@ net.ipv4.tcp_wmem = 4096 16384 16777216
> net.ipv4.udp_mem = 3145728 4194304 16777216
>
> # Prefer low latency over higher throughput
> -net.ipv4.tcp_low_latency=1
> +net.ipv4.tcp_low_latency = 1
>
> # Reserve more socket space for the TCP window
> -net.ipv4.tcp_adv_win_scale=2
> +net.ipv4.tcp_adv_win_scale = 2
>
> # Enable TCP fast-open
> net.ipv4.tcp_fastopen = 3
> +
> +# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337.
> +# This protects against various TCP attacks, such as DoS against or injection
> +# of arbitrary segments into prematurely closed connections.
> +net.ipv4.tcp_rfc1337 = 1
> --
> 2.26.2
@@ -32,7 +32,7 @@ net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Enable netfilter accounting
-net.netfilter.nf_conntrack_acct=1
+net.netfilter.nf_conntrack_acct = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
@@ -86,10 +86,15 @@ net.ipv4.tcp_wmem = 4096 16384 16777216
net.ipv4.udp_mem = 3145728 4194304 16777216
# Prefer low latency over higher throughput
-net.ipv4.tcp_low_latency=1
+net.ipv4.tcp_low_latency = 1
# Reserve more socket space for the TCP window
-net.ipv4.tcp_adv_win_scale=2
+net.ipv4.tcp_adv_win_scale = 2
# Enable TCP fast-open
net.ipv4.tcp_fastopen = 3
+
+# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337.
+# This protects against various TCP attacks, such as DoS against or injection
+# of arbitrary segments into prematurely closed connections.
+net.ipv4.tcp_rfc1337 = 1