[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

To: Michal Zalewski <lcamtuf@ghettot.org>
Subject: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
From: Shachar Shemesh <fulldisc@sun.consumer.org.il>
Date: Thu, 11 Dec 2003 10:56:01 +0200

Michal Zalewski wrote:

Consider the following: Bob sends a TCP/IP ACK packet to Alice, with a data payload and within an established session, of which session the attacker is aware (attacker-induced or server to server traffic, perhaps). Bob's packet exceeds the MTU somewhere en route (be it on some WAN interface, or on a local PPPoA, PPPoE or VPN interface), a situation not quite unheard of; the IP packet gets fragmented in order to be delivered successfully.

This attack is timing sensitive, route sensitive, and is highly unreliable. Those problems aside, however, there is a more fundemental problem. You need to time each and every fragmented packet you send to always arrive before or after (depending on receiving machine's IP stack) the corresponding legit fragment, yet before the entire packet is assembled. All of that, without having any knowledge about either side of the communication parties.

How do you get the legit connection you are trying to overload to fragment at the place you mention. Most TCP/IP connections employ PMTU discovery, and then split the stream at layer 4, rather then perform Layer 3 assembly. As a result, fragments in TCP/IP communication is extremely rare. The probes I know of show that major sites hardly ever see any fragments at all, outside of deliberate attacks.

Even if you found a victim that does not employ PMTU, fragmentation is still a rare occurance.

Even if you found a victim that does not employ PMTU, connecting to a machine where the route requires fragmentation, that splitting is performed by the routers en-route. Most routers split the packet with the large chunk being at the begining. Assuming MTU can never go below ~300 bytes (a conservative number - most will say 512), this means the entire IP and TCP headers are in the same fragment, as well as quite a chunk of the actual TCP payload.

All in all, an interesting attack vector, but I'm not sure how practical it is.

Shachar

--
Shachar Shemesh
Open Source integration & consulting
Home page & resume - http://www.shemesh.biz/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michal Zalewski <lcamtuf@ghettot.org>
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Valdis.Kletnieks@vt.edu

References:
- [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michal Zalewski <lcamtuf@ghettot.org>

Prev by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Previous by thread: [Full-Disclosure] Re: A new TCP/IP blind data injection technique?
Next by thread: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Index(es):
- Date
- Thread