1 /* $OpenBSD: pf_syncookies.c,v 1.7 2018/09/10 15:54:28 henning Exp $ */ 2 3 /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org> 4 * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org> 5 * 6 * syncookie parts based on FreeBSD sys/netinet/tcp_syncache.c 7 * 8 * Copyright (c) 2001 McAfee, Inc. 9 * Copyright (c) 2006,2013 Andre Oppermann, Internet Business Solutions AG 10 * All rights reserved. 11 * 12 * This software was developed for the FreeBSD Project by Jonathan Lemon 13 * and McAfee Research, the Security Research Division of McAfee, Inc. under 14 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 15 * DARPA CHATS research program. [2001 McAfee, Inc.] 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39 /* 40 * when we're under synflood, we use syncookies to prevent state table 41 * exhaustion. Trigger for the synflood mode is the number of half-open 42 * connections in the state table. 43 * We leave synflood mode when the number of half-open states - including 44 * in-flight syncookies - drops far enough again 45 */ 46 47 /* 48 * syncookie enabled Initial Sequence Number: 49 * 24 bit MAC 50 * 3 bit WSCALE index 51 * 3 bit MSS index 52 * 1 bit SACK permitted 53 * 1 bit odd/even secret 54 * 55 * References: 56 * RFC4987 TCP SYN Flooding Attacks and Common Mitigations 57 * http://cr.yp.to/syncookies.html (overview) 58 * http://cr.yp.to/syncookies/archive (details) 59 */ 60 61 #include "pflog.h" 62 63 #include <sys/param.h> 64 #include <sys/systm.h> 65 #include <sys/mbuf.h> 66 #include <sys/filio.h> 67 #include <sys/socket.h> 68 #include <sys/socketvar.h> 69 #include <sys/kernel.h> 70 #include <sys/time.h> 71 #include <sys/pool.h> 72 #include <sys/proc.h> 73 #include <sys/rwlock.h> 74 #include <sys/syslog.h> 75 76 #include <net/if.h> 77 #include <net/if_var.h> 78 #include <net/if_types.h> 79 #include <net/route.h> 80 81 #include <netinet/in.h> 82 #include <netinet/ip.h> 83 #include <netinet/ip_var.h> 84 #include <netinet/tcp.h> 85 #include <netinet/tcp_seq.h> 86 #include <netinet/udp.h> 87 #include <netinet/ip_icmp.h> 88 #include <netinet/in_pcb.h> 89 #include <netinet/tcp_timer.h> 90 #include <netinet/tcp_var.h> 91 #include <netinet/tcp_fsm.h> 92 #include <netinet/udp_var.h> 93 #include <netinet/icmp_var.h> 94 #include <netinet/ip_divert.h> 95 96 #include <net/pfvar.h> 97 #include <net/pfvar_priv.h> 98 99 #if NPFLOG > 0 100 #include <net/if_pflog.h> 101 #endif /* NPFLOG > 0 */ 102 103 union pf_syncookie { 104 uint8_t cookie; 105 struct { 106 uint8_t oddeven:1, 107 sack_ok:1, 108 wscale_idx:3, 109 mss_idx:3; 110 } flags; 111 }; 112 113 #define PF_SYNCOOKIE_SECRET_SIZE SIPHASH_KEY_LENGTH 114 #define PF_SYNCOOKIE_SECRET_LIFETIME 15 /* seconds */ 115 116 static struct { 117 struct timeout keytimeout; 118 volatile uint oddeven; 119 SIPHASH_KEY key[2]; 120 uint32_t hiwat; /* absolute; # of states */ 121 uint32_t lowat; 122 } pf_syncookie_status; 123 124 void pf_syncookie_rotate(void *); 125 void pf_syncookie_newkey(void); 126 uint32_t pf_syncookie_mac(struct pf_pdesc *, union pf_syncookie, 127 uint32_t); 128 uint32_t pf_syncookie_generate(struct pf_pdesc *, uint16_t); 129 130 void 131 pf_syncookies_init(void) 132 { 133 timeout_set(&pf_syncookie_status.keytimeout, 134 pf_syncookie_rotate, NULL); 135 pf_syncookie_status.hiwat = PFSTATE_HIWAT * PF_SYNCOOKIES_HIWATPCT/100; 136 pf_syncookie_status.lowat = PFSTATE_HIWAT * PF_SYNCOOKIES_LOWATPCT/100; 137 pf_syncookies_setmode(PF_SYNCOOKIES_NEVER); 138 } 139 140 int 141 pf_syncookies_setmode(u_int8_t mode) 142 { 143 if (mode > PF_SYNCOOKIES_MODE_MAX) 144 return (EINVAL); 145 146 if (pf_status.syncookies_mode == mode) 147 return (0); 148 149 pf_status.syncookies_mode = mode; 150 if (pf_status.syncookies_mode == PF_SYNCOOKIES_ALWAYS) { 151 pf_syncookie_newkey(); 152 pf_status.syncookies_active = 1; 153 } 154 return (0); 155 } 156 157 int 158 pf_syncookies_setwats(u_int32_t hiwat, u_int32_t lowat) 159 { 160 if (lowat > hiwat) 161 return (EINVAL); 162 163 pf_syncookie_status.hiwat = hiwat; 164 pf_syncookie_status.lowat = lowat; 165 return (0); 166 } 167 168 int 169 pf_syncookies_getwats(struct pfioc_synflwats *wats) 170 { 171 wats->hiwat = pf_syncookie_status.hiwat; 172 wats->lowat = pf_syncookie_status.lowat; 173 return (0); 174 } 175 176 int 177 pf_synflood_check(struct pf_pdesc *pd) 178 { 179 KASSERT (pd->proto == IPPROTO_TCP); 180 181 if (pd->m && (pd->m->m_pkthdr.pf.tag & PF_TAG_SYNCOOKIE_RECREATED)) 182 return (0); 183 184 if (pf_status.syncookies_mode != PF_SYNCOOKIES_ADAPTIVE) 185 return (pf_status.syncookies_mode); 186 187 if (!pf_status.syncookies_active && 188 pf_status.states_halfopen > pf_syncookie_status.hiwat) { 189 pf_syncookie_newkey(); 190 pf_status.syncookies_active = 1; 191 DPFPRINTF(LOG_WARNING, 192 "synflood detected, enabling syncookies"); 193 pf_status.lcounters[LCNT_SYNFLOODS]++; 194 } 195 196 return (pf_status.syncookies_active); 197 } 198 199 void 200 pf_syncookie_send(struct pf_pdesc *pd) 201 { 202 uint16_t mss; 203 uint32_t iss; 204 205 mss = max(tcp_mssdflt, pf_get_mss(pd)); 206 iss = pf_syncookie_generate(pd, mss); 207 pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport, 208 iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss, 209 0, 1, 0, pd->rdomain); 210 pf_status.syncookies_inflight[pf_syncookie_status.oddeven]++; 211 pf_status.lcounters[LCNT_SYNCOOKIES_SENT]++; 212 } 213 214 uint8_t 215 pf_syncookie_validate(struct pf_pdesc *pd) 216 { 217 uint32_t hash, ack, seq; 218 union pf_syncookie cookie; 219 220 KASSERT(pd->proto == IPPROTO_TCP); 221 222 seq = ntohl(pd->hdr.tcp.th_seq) - 1; 223 ack = ntohl(pd->hdr.tcp.th_ack) - 1; 224 cookie.cookie = (ack & 0xff) ^ (ack >> 24); 225 226 /* we don't know oddeven before setting the cookie (union) */ 227 if (pf_status.syncookies_inflight[cookie.flags.oddeven] == 0) 228 return (0); 229 230 hash = pf_syncookie_mac(pd, cookie, seq); 231 if ((ack & ~0xff) != (hash & ~0xff)) 232 return (0); 233 234 pf_status.syncookies_inflight[cookie.flags.oddeven]--; 235 pf_status.lcounters[LCNT_SYNCOOKIES_VALID]++; 236 return (1); 237 } 238 239 /* 240 * all following functions private 241 */ 242 void 243 pf_syncookie_rotate(void *arg) 244 { 245 /* do we want to disable syncookies? */ 246 if (pf_status.syncookies_active && 247 ((pf_status.syncookies_mode == PF_SYNCOOKIES_ADAPTIVE && 248 pf_status.states_halfopen + pf_status.syncookies_inflight[0] + 249 pf_status.syncookies_inflight[1] < pf_syncookie_status.lowat) || 250 pf_status.syncookies_mode == PF_SYNCOOKIES_NEVER)) { 251 pf_status.syncookies_active = 0; 252 DPFPRINTF(LOG_WARNING, "syncookies disabled"); 253 } 254 255 /* nothing in flight any more? delete keys and return */ 256 if (!pf_status.syncookies_active && 257 pf_status.syncookies_inflight[0] == 0 && 258 pf_status.syncookies_inflight[1] == 0) { 259 memset(&pf_syncookie_status.key[0], 0, 260 PF_SYNCOOKIE_SECRET_SIZE); 261 memset(&pf_syncookie_status.key[1], 0, 262 PF_SYNCOOKIE_SECRET_SIZE); 263 return; 264 } 265 266 /* new key, including timeout */ 267 pf_syncookie_newkey(); 268 } 269 270 void 271 pf_syncookie_newkey(void) 272 { 273 pf_syncookie_status.oddeven = (pf_syncookie_status.oddeven + 1) & 0x1; 274 pf_status.syncookies_inflight[pf_syncookie_status.oddeven] = 0; 275 arc4random_buf(&pf_syncookie_status.key[pf_syncookie_status.oddeven], 276 PF_SYNCOOKIE_SECRET_SIZE); 277 timeout_add_sec(&pf_syncookie_status.keytimeout, 278 PF_SYNCOOKIE_SECRET_LIFETIME); 279 } 280 281 /* 282 * Distribution and probability of certain MSS values. Those in between are 283 * rounded down to the next lower one. 284 * [An Analysis of TCP Maximum Segment Sizes, S. Alcock and R. Nelson, 2011] 285 * .2% .3% 5% 7% 7% 20% 15% 45% 286 */ 287 static int pf_syncookie_msstab[] = 288 { 216, 536, 1200, 1360, 1400, 1440, 1452, 1460 }; 289 290 /* 291 * Distribution and probability of certain WSCALE values. 292 * The absence of the WSCALE option is encoded with index zero. 293 * [WSCALE values histograms, Allman, 2012] 294 * X 10 10 35 5 6 14 10% by host 295 * X 11 4 5 5 18 49 3% by connections 296 */ 297 static int pf_syncookie_wstab[] = { 0, 0, 1, 2, 4, 6, 7, 8 }; 298 299 uint32_t 300 pf_syncookie_mac(struct pf_pdesc *pd, union pf_syncookie cookie, uint32_t seq) 301 { 302 SIPHASH_CTX ctx; 303 uint32_t siphash[2]; 304 305 KASSERT(pd->proto == IPPROTO_TCP); 306 307 SipHash24_Init(&ctx, &pf_syncookie_status.key[cookie.flags.oddeven]); 308 309 switch (pd->af) { 310 case AF_INET: 311 SipHash24_Update(&ctx, pd->src, sizeof(pd->src->v4)); 312 SipHash24_Update(&ctx, pd->dst, sizeof(pd->dst->v4)); 313 break; 314 case AF_INET6: 315 SipHash24_Update(&ctx, pd->src, sizeof(pd->src->v6)); 316 SipHash24_Update(&ctx, pd->dst, sizeof(pd->dst->v6)); 317 break; 318 default: 319 panic("unknown address family"); 320 } 321 322 SipHash24_Update(&ctx, pd->sport, sizeof(*pd->sport)); 323 SipHash24_Update(&ctx, pd->dport, sizeof(*pd->dport)); 324 SipHash24_Update(&ctx, &seq, sizeof(seq)); 325 SipHash24_Update(&ctx, &cookie, sizeof(cookie)); 326 SipHash24_Final((uint8_t *)&siphash, &ctx); 327 328 return (siphash[0] ^ siphash[1]); 329 } 330 331 uint32_t 332 pf_syncookie_generate(struct pf_pdesc *pd, uint16_t mss) 333 { 334 uint8_t i, wscale; 335 uint32_t iss, hash; 336 union pf_syncookie cookie; 337 338 cookie.cookie = 0; 339 340 /* map MSS */ 341 for (i = nitems(pf_syncookie_msstab) - 1; 342 pf_syncookie_msstab[i] > mss && i > 0; i--) 343 /* nada */; 344 cookie.flags.mss_idx = i; 345 346 /* map WSCALE */ 347 wscale = pf_get_wscale(pd); 348 for (i = nitems(pf_syncookie_wstab) - 1; 349 pf_syncookie_wstab[i] > wscale && i > 0; i--) 350 /* nada */; 351 cookie.flags.wscale_idx = i; 352 cookie.flags.sack_ok = 0; /* XXX */ 353 354 cookie.flags.oddeven = pf_syncookie_status.oddeven; 355 hash = pf_syncookie_mac(pd, cookie, ntohl(pd->hdr.tcp.th_seq)); 356 357 /* 358 * Put the flags into the hash and XOR them to get better ISS number 359 * variance. This doesn't enhance the cryptographic strength and is 360 * done to prevent the 8 cookie bits from showing up directly on the 361 * wire. 362 */ 363 iss = hash & ~0xff; 364 iss |= cookie.cookie ^ (hash >> 24); 365 366 return (iss); 367 } 368 369 struct mbuf * 370 pf_syncookie_recreate_syn(struct pf_pdesc *pd) 371 { 372 uint8_t wscale; 373 uint16_t mss; 374 uint32_t ack, seq; 375 union pf_syncookie cookie; 376 377 seq = ntohl(pd->hdr.tcp.th_seq) - 1; 378 ack = ntohl(pd->hdr.tcp.th_ack) - 1; 379 cookie.cookie = (ack & 0xff) ^ (ack >> 24); 380 381 if (cookie.flags.mss_idx >= nitems(pf_syncookie_msstab) || 382 cookie.flags.wscale_idx >= nitems(pf_syncookie_wstab)) 383 return (NULL); 384 385 mss = pf_syncookie_msstab[cookie.flags.mss_idx]; 386 wscale = pf_syncookie_wstab[cookie.flags.wscale_idx]; 387 388 return (pf_build_tcp(NULL, pd->af, pd->src, pd->dst, *pd->sport, 389 *pd->dport, seq, 0, TH_SYN, wscale, mss, pd->ttl, 0, 390 PF_TAG_SYNCOOKIE_RECREATED, cookie.flags.sack_ok, pd->rdomain)); 391 } 392