IBM Support

IY55949: SECURITY: TCP CONNECTIONS MAY BE RESET CAUSING A DOS

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • An attacker may reset a TCP connection by guessing the host and
    receiver and the respective ports they are using.
    

Local fix

Problem summary

  • An attacker may reset a TCP connection by guessing the host
    and receiver and the respective ports they are using.
    

Problem conclusion

  • 1) Any time a RST arrives and it does NOT have the same
    expected sequence number even though the sequence number is
    "in the window" that would be allowed, a current ACK is sent
    back to the peer. This will force a "challenge/response"
    situation that a blind attacker will not be able to
    penetrate. We achieve this at the expense of an extra RTT
    (round trip time) if the first RST is legitimate.
    
    2) Any time a SYN segment arrives for a current connection,
    an ACK will be sent back (no matter what the sequence
    number is). This again will form a "challenge/response"
    since the receiver of such an ACK ( after validly restarting
    and sending SYN) will send a RST back with the correct
    sequence number.
    
    3) For the data insertion attack the following simple fix
    will suffice. When a data segment arrives do not accept just
    any ACK value. Drop any segment whose ACK is less than
    (snd_una - max_window).
    

Temporary fix

Comments

APAR Information

  • APAR number

    IY55949

  • Reported component name

    AIX 5L POWER V5

  • Reported component ID

    5765E6200

  • Reported release

    520

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2004-04-20

  • Closed date

    2004-05-07

  • Last modified date

    2004-11-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IY55950 IY62006

Fix information

  • Fixed component name

    AIX 5L POWER V5

  • Fixed component ID

    5765E6200

Applicable component levels

  • R520 PSY U498519

       UP04/11/05 I 1000

PTF to Fileset Mapping

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG11M","label":"APARs - AIX 5.2 environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"520","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
05 November 2004