How to fix "TCP/IP Sequence Prediction Blind Reset Spoofing DoS"

Question

Just finished a Nessus scan and the only thing that came back was "TCP/IP Sequence Prediction Blind Reset Spoofing DoS" - It may be possible to send spoofed RST packets to the remote system.

Description: The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc).

I am using ubuntu 12.04, how can I patch or prevent this issue?

Why do they even bother checking for this? [This is not a significant issue.](http://lwn.net/Articles/81560/) — Michael Hampton, Feb 05 '13 at 21:14

score 6 · Answer 1 · answered Feb 06 '13 at 05:16

Short answer: you don't.

This refers to CVE-2004-0230 and is primarily a problem for machines with very long-lived TCP connections (BGP routers are a prime example of this, as BGP sessions tend to stay active for months). This is basically a denial-of-service attack, and an incredibly difficult one at that.

About the only thing you can do to mitigate is to use smaller window sizes (this increases the pool of likely RST targets that have to be considered), but with initial-sequence randomization and the requirement that the attacker know both the source and destination IPs and ports, it's not worth putting any effort into this.

Red Hat's advisory page has a good breakdown if you're interested.

score 1 · Accepted Answer · edited Oct 07 '21 at 07:59

1

This is fixed now in recent kernels. The kernel fix references RFC 5961 section 3 which deals with the same issue.

edited Oct 07 '21 at 07:59

Community

1

answered Mar 03 '15 at 00:19

Victor Gottardi

26
2

1

Can you be more specific about which version of ubuntu that Kernel patch is in? – greggles Nov 13 '15 at 16:36

How to fix "TCP/IP Sequence Prediction Blind Reset Spoofing DoS"

2 Answers2