Troubleshooting
Problem
This document provides information about how to implement the TCP reset vulnerability fix.
Resolving The Problem
TCP Reset Vulnerability Fix (tcpsecurefix)
=============================================================================
This describes and fixes the following CVE
CVE-2004-0230
Description: TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
========================================================================================
The fix is available in the base code.
This macro is used as the switch to turn the fix for the TCP reset vulnerability (which is described in draft-ietf-tcpm-tcpsecure-03.txt) on and off. The default is for the fix to be completely OFF to avoid potential incompatibility issues.
There are three parts to this attack, and each part can be turned on or off independently. The three attacks are as follows:
o RST Attack
o SYN Attack
o Data Inject Attack
The macro can be called as a native macro from service tools on the IBM i (for example, STRSST/STRDST – 1-4-1-2-14- TCPSECUREFIX).
The help text for the macro is as follows:
Running macro: TCPSECUREFIX -H
Purpose: It allows viewing or altering of the TCP vulnerability fix value. This defaults to 0 - no fix implemented. Use this tool to turn it on.
Options:
=============================================================================
This describes and fixes the following CVE
CVE-2004-0230
Description: TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
========================================================================================
The fix is available in the base code.
This macro is used as the switch to turn the fix for the TCP reset vulnerability (which is described in draft-ietf-tcpm-tcpsecure-03.txt) on and off. The default is for the fix to be completely OFF to avoid potential incompatibility issues.
There are three parts to this attack, and each part can be turned on or off independently. The three attacks are as follows:
o RST Attack
o SYN Attack
o Data Inject Attack
The macro can be called as a native macro from service tools on the IBM i (for example, STRSST/STRDST – 1-4-1-2-14- TCPSECUREFIX).
The help text for the macro is as follows:
Running macro: TCPSECUREFIX -H
Purpose: It allows viewing or altering of the TCP vulnerability fix value. This defaults to 0 - no fix implemented. Use this tool to turn it on.
Options:
| -h | Display this help message. |
| -display | Display the current value and default value. |
| -set:<XXX> | Enable the fix for XXX, where XXX is one of the following: ALL - RST Attack, SYN Attack, and Data Inject RST - just RST Attack SYN - just SYN Attack DINJ - just Data Inject NONE - no fixes implemented Any combination of RST, SYN, and DINJ can be used together by using "&" to join them, for example: -set:SYN&DINJ. |
| -reset | Resets the value back to the default - 0. |
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CMAAA2","label":"Communications->TCP"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
422834592
Was this topic helpful?
Document Information
Modified date:
08 March 2022
UID
nas8N1014837