Problem

Denial of service flaws in the way TCP connections are handled have been disclosed by Robert E. Lee and the late Jack C. Louis of Outpost24 AB. These flaws allow an attacker to create crafted TCP connections, which can eventually exhaust the receiver's system resources and lead to a denial of service. These flaws are assigned CVE-2008-4609 (Red Hat Bugzilla bug 465932). Details of the attacks are described in the CERT-FI advisory.

Exploiting these flaws requires the attacker to have access to a subnet where they have routable IP addresses that they can make use of. These need to be different from the IP address being used by the attacker's machine. The attacking system must send from IP addresses that are not being competed for by other hosts, and it must guarantee that its ARP poisoning is completely effective. The attacking system must create an attack which can not only generate the three-way handshake but can avoid sending RST frames in a response.

Red Hat would like to thank CERT-FI and Outpost24 AB for reporting these issues.

Mitigation

These attacks target design limitations of the TCP protocol. Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues; however, the effects of these attacks can be reduced.

The following iptables example checks if packets are part of an existing or associated connection. If they are, the packets are accepted. Otherwise, if 10 connection attempts to any TCP port are received within 5 minutes, they are dropped:

iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags FIN FIN -m recent --remove
iptables -A INPUT -p tcp -m recent --set
iptables -A INPUT -p tcp -m recent --update --seconds 300 --hitcount 10 -j DROP

This is only an example. Mitigation should be dealt with on a site-by-site basis.

Once you know you are under attack, block the IP address or subnet since this will be revealed in the attack packets. Furthermore, contact your upstream Internet provider to get those IP addresses blocked at their ingress.

Note: Support for connlimit in the kernel was added in Red Hat Enterprise Linux 5 via the advisory RHSA-2009:1243. At the time of writing, a bug is preventing it from working correctly, and as such, connlimit was not used in the above example. Future updates will address this issue.

SOURCE:
http://kbase.redhat.com/faq/docs/DOC-18730

Because of the fact that Red Hat is not planning to release updates to resolve these issues maybe ASL should take care of it.
But the experts will know it better...
Thanks to Scott and Mike

We always include any upstream patches in ASL.

In the meantime, those rules look safe enough and connlimit should be loaded by default - so go for it. I'd recommend you add in a logging rule so if you know its being triggered while testing this out.

Heres a simple iptables example:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:ASL-LOG-DROP - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN FIN -m recent --remove
-A RH-Firewall-1-INPUT -p tcp -m recent --set
-A RH-Firewall-1-INPUT -p tcp -m recent --update --seconds 300 --hitcount 10 -j ASL-LOG-DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A ASL-LOG-DROP -m limit --limit 1/second -j LOG --log-level info --log-prefix "TCP DOS Attack DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A ASL-LOG-DROP -j DROP
COMMIT

Now, with that in mind - this a very simple rule Redhat put together - its basically saying drop anything from an IP if it connects more than 10 times in 300 seconds. This will cause problems for you if you don't tune it for your box. For example, if you have two servers that talk to each other alot expect things to break between them within a few minutes, or if you get a lot of traffic from certain proxys - breakage is going to occur.

We're looking into the kernel solution which should be far more reliable.