How to fix "TCP/IP Sequence Prediction Blind Reset Spoofing DoS"
Solution 1
This is fixed now in recent kernels. The kernel fix references RFC 5961 section 3 which deals with the same issue.
Solution 2
Short answer: you don't.
This refers to CVE-2004-0230 and is primarily a problem for machines with very long-lived TCP connections (BGP routers are a prime example of this, as BGP sessions tend to stay active for months). This is basically a denial-of-service attack, and an incredibly difficult one at that.
About the only thing you can do to mitigate is to use smaller window sizes (this increases the pool of likely RST targets that have to be considered), but with initial-sequence randomization and the requirement that the attacker know both the source and destination IPs and ports, it's not worth putting any effort into this.
Red Hat's advisory page has a good breakdown if you're interested.
Related videos on Youtube
01 : 25
01 : 44
16 : 03
10 : 39
12 : 52
Mike Curry
Updated on September 18, 2022Comments
-
Mike Curry almost 2 years
Just finished a Nessus scan and the only thing that came back was "TCP/IP Sequence Prediction Blind Reset Spoofing DoS" - It may be possible to send spoofed RST packets to the remote system.
Description: The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc).
I am using ubuntu 12.04, how can I patch or prevent this issue?
-
Michael Hampton over 11 yearsWhy do they even bother checking for this? This is not a significant issue. -
Mike Curry over 11 yearsI know, if it's not an issue, I might drop it..
-
-
greggles over 8 yearsCan you be more specific about which version of ubuntu that Kernel patch is in?