Does SCTP help against TCP reset attacks?

Steffen Nurpmeso steffen at sdaoden.eu
Wed Mar 16 21:54:19 AEDT 2016


Hello,

i have a question regarding SCTP support of OpenSSH.  (I have
searched the list, and it seems to show up periodically every two
years, and since it's that time again i dare to ask...)
It can't be described better than what i've placed in a bug report
yesterday, so please let me (mostly) copy & paste that:

  Hello.
  I don't know how you do it, i never managed a(n exposed) server
  until January and now [.] i think what i have to face are TCP
  RST attacks on SSH connections, leading to "connection reset"s
  ["connection closed" on client side in fact] (of course).

  My first reaction was something like "go UDP" but all
  i effectively need is SSH, so OpenVPN is much to fully blown for
  a bit of scp/ssh/git over ssh, and mosh (or a quick'n dirty shot
  with new OpenSSL and DTLS, plus pty plus sh) is a complete
  disruption of the workflow. And IPSec is really, really no no
  no.

  Looking around a bit i found RFC 4953, "Defending TCP Against
  Spoofing Attacks", and that mentions SCTP in a few places, e.g.,
  "Other transport protocols, such as SCTP and DCCP, also have
  limited antispoofing mechanisms" and "whereas others establish
  per-connection identity based on exchanged nonces (e.g., SCTP)".
  Now i knew there was a SCTP patch floating for OpenSSH years
  ago, and it is indeed actively maintained until today and even
  available in the OpenSSH that Gentoo packages.

  I'm not at all a network expert so i don't know wether SCTP will
  really helps against the particular attack i'm facing, but it
  sounds as if it would address some problems in this area, and so
  i'm kindly asking for inclusion of that actively maintained
  patch in place-your-favourite-OS(-distribution).
  I've downloaded the patch from [1], the OpenSSH bugzilla entries
  are [2] and [3]. Note that the patch ([1]) needs itself a patch
  for using SCTP via getopt aka command line (new -z option).

    [1] http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/openssh-7.2_p1-sctp.patch.xz
    [2] https://bugzilla.mindrot.org/show_bug.cgi?id=1604
    [3] https://bugzilla.mindrot.org/show_bug.cgi?id=2016

Probably an expert can help answering the question wether SCTP
would prevent TCP reset attacks (i guess what would be needed
would be real confidence in mac/address/port of source).

And if so, can't it be included in the portable version of
OpenSSH?  The initial comments of Markus Friedl and Darren Tucker
didn't sound all that bad, imho, and the patch is actively
maintained for many years.
Thanks, and ciao,

--steffen


More information about the openssh-unix-dev mailing list