1 /* $OpenBSD: pf_syncookies.c,v 1.8 2024/12/26 10:15:27 bluhm Exp $ */ 2 3 /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org> 4 * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org> 5 * 6 * syncookie parts based on FreeBSD sys/netinet/tcp_syncache.c 7 * 8 * Copyright (c) 2001 McAfee, Inc. 9 * Copyright (c) 2006,2013 Andre Oppermann, Internet Business Solutions AG 10 * All rights reserved. 11 * 12 * This software was developed for the FreeBSD Project by Jonathan Lemon 13 * and McAfee Research, the Security Research Division of McAfee, Inc. under 14 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 15 * DARPA CHATS research program. [2001 McAfee, Inc.] 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39 /* 40 * when we're under synflood, we use syncookies to prevent state table 41 * exhaustion. Trigger for the synflood mode is the number of half-open 42 * connections in the state table. 43 * We leave synflood mode when the number of half-open states - including 44 * in-flight syncookies - drops far enough again 45 */ 46 47 /* 48 * syncookie enabled Initial Sequence Number: 49 * 24 bit MAC 50 * 3 bit WSCALE index 51 * 3 bit MSS index 52 * 1 bit SACK permitted 53 * 1 bit odd/even secret 54 * 55 * References: 56 * RFC4987 TCP SYN Flooding Attacks and Common Mitigations 57 * http://cr.yp.to/syncookies.html (overview) 58 * http://cr.yp.to/syncookies/archive (details) 59 */ 60 61 #include "pflog.h" 62 63 #include <sys/param.h> 64 #include <sys/systm.h> 65 #include <sys/mbuf.h> 66 #include <sys/filio.h> 67 #include <sys/socket.h> 68 #include <sys/socketvar.h> 69 #include <sys/kernel.h> 70 #include <sys/time.h> 71 #include <sys/pool.h> 72 #include <sys/proc.h> 73 #include <sys/rwlock.h> 74 #include <sys/syslog.h> 75 76 #include <net/if.h> 77 #include <net/if_var.h> 78 #include <net/if_types.h> 79 #include <net/route.h> 80 81 #include <netinet/in.h> 82 #include <netinet/ip.h> 83 #include <netinet/ip_var.h> 84 #include <netinet/tcp.h> 85 #include <netinet/tcp_seq.h> 86 #include <netinet/udp.h> 87 #include <netinet/ip_icmp.h> 88 #include <netinet/in_pcb.h> 89 #include <netinet/tcp_timer.h> 90 #include <netinet/tcp_var.h> 91 #include <netinet/tcp_fsm.h> 92 #include <netinet/udp_var.h> 93 #include <netinet/icmp_var.h> 94 #include <netinet/ip_divert.h> 95 96 #include <net/pfvar.h> 97 #include <net/pfvar_priv.h> 98 99 #if NPFLOG > 0 100 #include <net/if_pflog.h> 101 #endif /* NPFLOG > 0 */ 102 103 union pf_syncookie { 104 uint8_t cookie; 105 struct { 106 uint8_t oddeven:1, 107 sack_ok:1, 108 wscale_idx:3, 109 mss_idx:3; 110 } flags; 111 }; 112 113 #define PF_SYNCOOKIE_SECRET_SIZE SIPHASH_KEY_LENGTH 114 #define PF_SYNCOOKIE_SECRET_LIFETIME 15 /* seconds */ 115 116 static struct { 117 struct timeout keytimeout; 118 volatile uint oddeven; 119 SIPHASH_KEY key[2]; 120 uint32_t hiwat; /* absolute; # of states */ 121 uint32_t lowat; 122 } pf_syncookie_status; 123 124 void pf_syncookie_rotate(void *); 125 void pf_syncookie_newkey(void); 126 uint32_t pf_syncookie_mac(struct pf_pdesc *, union pf_syncookie, 127 uint32_t); 128 uint32_t pf_syncookie_generate(struct pf_pdesc *, uint16_t); 129 130 void 131 pf_syncookies_init(void) 132 { 133 timeout_set(&pf_syncookie_status.keytimeout, 134 pf_syncookie_rotate, NULL); 135 pf_syncookie_status.hiwat = PFSTATE_HIWAT * PF_SYNCOOKIES_HIWATPCT/100; 136 pf_syncookie_status.lowat = PFSTATE_HIWAT * PF_SYNCOOKIES_LOWATPCT/100; 137 pf_syncookies_setmode(PF_SYNCOOKIES_NEVER); 138 } 139 140 int 141 pf_syncookies_setmode(u_int8_t mode) 142 { 143 if (mode > PF_SYNCOOKIES_MODE_MAX) 144 return (EINVAL); 145 146 if (pf_status.syncookies_mode == mode) 147 return (0); 148 149 pf_status.syncookies_mode = mode; 150 if (pf_status.syncookies_mode == PF_SYNCOOKIES_ALWAYS) { 151 pf_syncookie_newkey(); 152 pf_status.syncookies_active = 1; 153 } 154 return (0); 155 } 156 157 int 158 pf_syncookies_setwats(u_int32_t hiwat, u_int32_t lowat) 159 { 160 if (lowat > hiwat) 161 return (EINVAL); 162 163 pf_syncookie_status.hiwat = hiwat; 164 pf_syncookie_status.lowat = lowat; 165 return (0); 166 } 167 168 int 169 pf_syncookies_getwats(struct pfioc_synflwats *wats) 170 { 171 wats->hiwat = pf_syncookie_status.hiwat; 172 wats->lowat = pf_syncookie_status.lowat; 173 return (0); 174 } 175 176 int 177 pf_synflood_check(struct pf_pdesc *pd) 178 { 179 KASSERT (pd->proto == IPPROTO_TCP); 180 181 if (pd->m && (pd->m->m_pkthdr.pf.tag & PF_TAG_SYNCOOKIE_RECREATED)) 182 return (0); 183 184 if (pf_status.syncookies_mode != PF_SYNCOOKIES_ADAPTIVE) 185 return (pf_status.syncookies_mode); 186 187 if (!pf_status.syncookies_active && 188 pf_status.states_halfopen > pf_syncookie_status.hiwat) { 189 pf_syncookie_newkey(); 190 pf_status.syncookies_active = 1; 191 DPFPRINTF(LOG_WARNING, 192 "synflood detected, enabling syncookies"); 193 pf_status.lcounters[LCNT_SYNFLOODS]++; 194 } 195 196 return (pf_status.syncookies_active); 197 } 198 199 void 200 pf_syncookie_send(struct pf_pdesc *pd) 201 { 202 uint16_t mss, mssdflt; 203 uint32_t iss; 204 205 mssdflt = atomic_load_int(&tcp_mssdflt); 206 mss = max(pf_get_mss(pd, mssdflt), mssdflt); 207 iss = pf_syncookie_generate(pd, mss); 208 pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport, 209 iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss, 210 0, 1, 0, pd->rdomain); 211 pf_status.syncookies_inflight[pf_syncookie_status.oddeven]++; 212 pf_status.lcounters[LCNT_SYNCOOKIES_SENT]++; 213 } 214 215 uint8_t 216 pf_syncookie_validate(struct pf_pdesc *pd) 217 { 218 uint32_t hash, ack, seq; 219 union pf_syncookie cookie; 220 221 KASSERT(pd->proto == IPPROTO_TCP); 222 223 seq = ntohl(pd->hdr.tcp.th_seq) - 1; 224 ack = ntohl(pd->hdr.tcp.th_ack) - 1; 225 cookie.cookie = (ack & 0xff) ^ (ack >> 24); 226 227 /* we don't know oddeven before setting the cookie (union) */ 228 if (pf_status.syncookies_inflight[cookie.flags.oddeven] == 0) 229 return (0); 230 231 hash = pf_syncookie_mac(pd, cookie, seq); 232 if ((ack & ~0xff) != (hash & ~0xff)) 233 return (0); 234 235 pf_status.syncookies_inflight[cookie.flags.oddeven]--; 236 pf_status.lcounters[LCNT_SYNCOOKIES_VALID]++; 237 return (1); 238 } 239 240 /* 241 * all following functions private 242 */ 243 void 244 pf_syncookie_rotate(void *arg) 245 { 246 /* do we want to disable syncookies? */ 247 if (pf_status.syncookies_active && 248 ((pf_status.syncookies_mode == PF_SYNCOOKIES_ADAPTIVE && 249 pf_status.states_halfopen + pf_status.syncookies_inflight[0] + 250 pf_status.syncookies_inflight[1] < pf_syncookie_status.lowat) || 251 pf_status.syncookies_mode == PF_SYNCOOKIES_NEVER)) { 252 pf_status.syncookies_active = 0; 253 DPFPRINTF(LOG_WARNING, "syncookies disabled"); 254 } 255 256 /* nothing in flight any more? delete keys and return */ 257 if (!pf_status.syncookies_active && 258 pf_status.syncookies_inflight[0] == 0 && 259 pf_status.syncookies_inflight[1] == 0) { 260 memset(&pf_syncookie_status.key[0], 0, 261 PF_SYNCOOKIE_SECRET_SIZE); 262 memset(&pf_syncookie_status.key[1], 0, 263 PF_SYNCOOKIE_SECRET_SIZE); 264 return; 265 } 266 267 /* new key, including timeout */ 268 pf_syncookie_newkey(); 269 } 270 271 void 272 pf_syncookie_newkey(void) 273 { 274 pf_syncookie_status.oddeven = (pf_syncookie_status.oddeven + 1) & 0x1; 275 pf_status.syncookies_inflight[pf_syncookie_status.oddeven] = 0; 276 arc4random_buf(&pf_syncookie_status.key[pf_syncookie_status.oddeven], 277 PF_SYNCOOKIE_SECRET_SIZE); 278 timeout_add_sec(&pf_syncookie_status.keytimeout, 279 PF_SYNCOOKIE_SECRET_LIFETIME); 280 } 281 282 /* 283 * Distribution and probability of certain MSS values. Those in between are 284 * rounded down to the next lower one. 285 * [An Analysis of TCP Maximum Segment Sizes, S. Alcock and R. Nelson, 2011] 286 * .2% .3% 5% 7% 7% 20% 15% 45% 287 */ 288 static int pf_syncookie_msstab[] = 289 { 216, 536, 1200, 1360, 1400, 1440, 1452, 1460 }; 290 291 /* 292 * Distribution and probability of certain WSCALE values. 293 * The absence of the WSCALE option is encoded with index zero. 294 * [WSCALE values histograms, Allman, 2012] 295 * X 10 10 35 5 6 14 10% by host 296 * X 11 4 5 5 18 49 3% by connections 297 */ 298 static int pf_syncookie_wstab[] = { 0, 0, 1, 2, 4, 6, 7, 8 }; 299 300 uint32_t 301 pf_syncookie_mac(struct pf_pdesc *pd, union pf_syncookie cookie, uint32_t seq) 302 { 303 SIPHASH_CTX ctx; 304 uint32_t siphash[2]; 305 306 KASSERT(pd->proto == IPPROTO_TCP); 307 308 SipHash24_Init(&ctx, &pf_syncookie_status.key[cookie.flags.oddeven]); 309 310 switch (pd->af) { 311 case AF_INET: 312 SipHash24_Update(&ctx, pd->src, sizeof(pd->src->v4)); 313 SipHash24_Update(&ctx, pd->dst, sizeof(pd->dst->v4)); 314 break; 315 case AF_INET6: 316 SipHash24_Update(&ctx, pd->src, sizeof(pd->src->v6)); 317 SipHash24_Update(&ctx, pd->dst, sizeof(pd->dst->v6)); 318 break; 319 default: 320 panic("unknown address family"); 321 } 322 323 SipHash24_Update(&ctx, pd->sport, sizeof(*pd->sport)); 324 SipHash24_Update(&ctx, pd->dport, sizeof(*pd->dport)); 325 SipHash24_Update(&ctx, &seq, sizeof(seq)); 326 SipHash24_Update(&ctx, &cookie, sizeof(cookie)); 327 SipHash24_Final((uint8_t *)&siphash, &ctx); 328 329 return (siphash[0] ^ siphash[1]); 330 } 331 332 uint32_t 333 pf_syncookie_generate(struct pf_pdesc *pd, uint16_t mss) 334 { 335 uint8_t i, wscale; 336 uint32_t iss, hash; 337 union pf_syncookie cookie; 338 339 cookie.cookie = 0; 340 341 /* map MSS */ 342 for (i = nitems(pf_syncookie_msstab) - 1; 343 pf_syncookie_msstab[i] > mss && i > 0; i--) 344 /* nada */; 345 cookie.flags.mss_idx = i; 346 347 /* map WSCALE */ 348 wscale = pf_get_wscale(pd); 349 for (i = nitems(pf_syncookie_wstab) - 1; 350 pf_syncookie_wstab[i] > wscale && i > 0; i--) 351 /* nada */; 352 cookie.flags.wscale_idx = i; 353 cookie.flags.sack_ok = 0; /* XXX */ 354 355 cookie.flags.oddeven = pf_syncookie_status.oddeven; 356 hash = pf_syncookie_mac(pd, cookie, ntohl(pd->hdr.tcp.th_seq)); 357 358 /* 359 * Put the flags into the hash and XOR them to get better ISS number 360 * variance. This doesn't enhance the cryptographic strength and is 361 * done to prevent the 8 cookie bits from showing up directly on the 362 * wire. 363 */ 364 iss = hash & ~0xff; 365 iss |= cookie.cookie ^ (hash >> 24); 366 367 return (iss); 368 } 369 370 struct mbuf * 371 pf_syncookie_recreate_syn(struct pf_pdesc *pd) 372 { 373 uint8_t wscale; 374 uint16_t mss; 375 uint32_t ack, seq; 376 union pf_syncookie cookie; 377 378 seq = ntohl(pd->hdr.tcp.th_seq) - 1; 379 ack = ntohl(pd->hdr.tcp.th_ack) - 1; 380 cookie.cookie = (ack & 0xff) ^ (ack >> 24); 381 382 if (cookie.flags.mss_idx >= nitems(pf_syncookie_msstab) || 383 cookie.flags.wscale_idx >= nitems(pf_syncookie_wstab)) 384 return (NULL); 385 386 mss = pf_syncookie_msstab[cookie.flags.mss_idx]; 387 wscale = pf_syncookie_wstab[cookie.flags.wscale_idx]; 388 389 return (pf_build_tcp(NULL, pd->af, pd->src, pd->dst, *pd->sport, 390 *pd->dport, seq, 0, TH_SYN, wscale, mss, pd->ttl, 0, 391 PF_TAG_SYNCOOKIE_RECREATED, cookie.flags.sack_ok, pd->rdomain)); 392 } 393