diff -urN linux-2.4.33-wt1/Documentation/Configure.help linux-2.4.33-wt1-tcp/Documentation/Configure.help --- linux-2.4.33-wt1/Documentation/Configure.help Sun Oct 22 16:43:15 2006 +++ linux-2.4.33-wt1-tcp/Documentation/Configure.help Sun Oct 22 17:30:33 2006 @@ -4484,6 +4484,29 @@ For more info, check http://killa.net/infosec/acls/index.html +TCP Simultaneous Connect +CONFIG_TCP_SIMULT_CONNECT + Strict implementation of RFC793 (TCP) requires support for a + feature named "simultaneous connect", which allows two clients to + connect to each other without anyone entering a listening mode. + While almost never used, and not supported by many OSes, Linux + supports this feature. + + However, this feature introduces a weakness in the protocol which + makes it very easy for an attacker to prevent you from connecting + to a known server. The attacker only has to guess your source port + to shut down your connection during its establishment. The impact + is limited, but it may be used to prevent an antivirus or IPS from + fetching updates and not detecting an attack, or to prevent an SSL + gateway from fetching a CRL for example. + + If you want backwards compatibility with every possible application, + you should say Y here. If you prefer to enhance security on your + systems at the risk of breaking very rare specific applications, + you should say N here. + + If unsure, say N. + # Choice: alphatype Alpha system type CONFIG_ALPHA_GENERIC diff -urN linux-2.4.33-wt1/net/ipv4/Config.in linux-2.4.33-wt1-tcp/net/ipv4/Config.in --- linux-2.4.33-wt1/net/ipv4/Config.in Sun Oct 22 16:43:17 2006 +++ linux-2.4.33-wt1-tcp/net/ipv4/Config.in Sun Oct 22 17:31:08 2006 @@ -41,6 +41,7 @@ bool ' IP: TCP Explicit Congestion Notification support' CONFIG_INET_ECN bool ' IP: TCP syncookie support (disabled per default)' CONFIG_SYN_COOKIES bool ' IP: Stealth Code (not enabled per default)' CONFIG_IP_STEALTH +bool ' IP: TCP simultaneous connect support (disabled per default)' CONFIG_TCP_SIMULT_CONNECT if [ "$CONFIG_NETFILTER" != "n" ]; then source net/ipv4/netfilter/Config.in fi diff -urN linux-2.4.33-wt1/net/ipv4/tcp_input.c linux-2.4.33-wt1-tcp/net/ipv4/tcp_input.c --- linux-2.4.33-wt1/net/ipv4/tcp_input.c Sun Dec 4 22:06:00 2005 +++ linux-2.4.33-wt1-tcp/net/ipv4/tcp_input.c Sun Oct 22 17:30:34 2006 @@ -4491,6 +4491,12 @@ * simultaneous connect with crossed SYNs. * Particularly, it can be connect to self. */ +#ifndef CONFIG_TCP_SIMULT_CONNECT + /* We don't want to support this feature which + * weakens the protocol by easing spoofing. + */ + goto discard_and_undo; +#else tcp_set_state(sk, TCP_SYN_RECV); if (tp->saw_tstamp) { @@ -4532,6 +4538,7 @@ #else goto discard; #endif +#endif /* CONFIG_TCP_SIMULT_CONNECT */ } /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return."