[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: RE: US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP
- From: <soby@xxxxxxxxxxxx>
- Date: Sat, 24 Apr 2004 17:27:56 -0700
A similar issue exists that allows someone to kill TCP connections that
go through many types of firewalls. If the firewalls involved don't
adequately follow the sequence numbers being used in a connection, you
can usually indirectly kill the connection by sending a reset packet
with correct source/dest IPs and ports but a random sequence number.
Many firewalls will see this reset and remove the connection from their
state tables, even if the end host discarded this bad reset. If the
real source or destination hosts send additional traffic over this connection
the firewall will see this as bad traffic and usually send a valid reset
to that host, officially killing the connection. The actual firewall
behavior will vary depending on the specific firewall but the end result
is always that the connection dies.
This method also works with FINs in some cases because many firewalls
treat FINs in a similar way as resets instead of allowing long term half
closed connections.
I've personally done this with about 3 different firewalls but I don't
see any reason that it wouldn't work with any firewall that doesn't follow
sequence numbers for every connection (failover pairs come to mind in
particular). Combined with predictable source ports, it makes a fairly
decent DoS against hosts going through firewalls to known points.
This issue was touched on in one of the Cisco advisories in an indirect
and round-about way. Sorry if someone else has brought this up before
in a different forum but I don't remember seeing or hearing about it
and think it deserves to be mentioned in this thread.
-Brian Soby
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427