Sorry for letting this wait. The mail got flushed from a temporary folder too early.

...

* The attacker must be able to connect to at least one open (unfiltered) tcp port.

Does this apply only to incoming connections, or to outgoing connects, too? (Yes I know, the wording implies the former...) In other words: am I safe (from external attacks) if the box offers no services to the Internet, but just to the intranet?

incoming and outgoing refer to the machine, not the network. The statement from the announcement is a description of a requirement that needs to be fulfilled in order for the attack to be possible in the first place. If your host is a filtering router with two networks (inside, outside) attached, while your outside has rules that match syn-only, then you should disable the syncookies or upgrade, yes. The fix of the problem consists of moving a syncookie variable (tcp_lastsynq_overflow) from a global value to a per-socket struct.

And: does "able to connect" include connects that are immediately broken because of hosts.deny rules? Or does an attack require a more "permanent" connection?

A connection that is being declined by a tcpd or some other function from libwrap.a requires the tcp connection to be fully established for the origin of the connection to be found. If some connection protocol has not completed so that the connection is not established yet, a userspace program that listens on this specific kind of socket should not see a returning system call from the kernel. Not yet. In other words: "able to connect" includes tcp_wrapper-protected ports, yes.

Bye, Martin

Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -