This set of tests focuses on the handling of SYN-segments in the LAST-ACK state.
RFC 0793 requires the sending of a
TCP segment with the RST bit set in response to a SYN segment fullfiling
RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND.
In all other cases, a challenge ACK has to be sent.
For mitigating blind attacks, RFC 5961 requires the sending of a challenge ACK in any case.
In FreeBSD, the sysctl-variable net.inet.tcp.insecure_syn can be used to
select if procedures described in RFC 0793 or
RFC 5961 are followed.
The default is to follow RFC 5961.
| Name | Result FreeBSD 11.0 | Result FreeBSD Head |
|---|---|---|
| rcv-syn-last-ack-outside-left-secure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-outside-left-secure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-left-edge-secure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-left-edge-secure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-right-edge-secure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-right-edge-secure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-outside-right-secure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-outside-right-secure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-outside-left-insecure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-outside-left-insecure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-left-edge-insecure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-left-edge-insecure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-right-edge-insecure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-right-edge-insecure-ipv6 | Unknown | Passed |
| rcv-syn-last-ack-outside-right-insecure-ipv4 | Unknown | Passed |
| rcv-syn-last-ack-outside-right-insecure-ipv6 | Unknown | Passed |