[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

To: Michal Zalewski <lcamtuf@ghettot.org>
Subject: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
From: Shachar Shemesh <fulldisc@sun.consumer.org.il>
Date: Thu, 11 Dec 2003 11:57:59 +0200

Michal Zalewski wrote:

On Thu, 11 Dec 2003, Shachar Shemesh wrote:

This attack is timing sensitive, route sensitive, and is highly unreliable.

So is all session injection, but we have seen practical attacks in the past. A very popular software to drop Windows 9x users from IRC servers by performing a RST packet injection into an existing session worked surprisingly well.

Presumably, injecting a RST requires you to hit the TCP window with a RST packet. You have, at most, 20 bits of entropy on that one. You also have to guess the source port, but those rarely have more than 10 bits of entropy with NOTHING ELSE being known. Often, something else is know.

Although the problems you mention make some attacks very difficult, in
many other cases, this is not an issue. Server-to-server communications is
often either completely predictable, or can be user-induced (and still
benefit him in some way when compromised).  In other cases, a low success
ratio is not a problem when you want to just disrupt communications at
some point, and do not care about the exact packet for which this happens
(for all sessions that last for a while).

Ok, I'll accept that point. Especially as you mention later on that this is not necessarily a practical attack.

Most TCP/IP connections employ PMTU discovery, and then split the stream at layer 4, rather then perform Layer 3 assembly.
It is a matter of OS configuration. Many systems indeed to deploy PMTU
recently. There is a catch, however: some routers, IP-over-nnn tunnels,
and some firewalls strip and/or ignore DF flag.

That's not the problem I know. I know of routers that ignore the "Fragmentation needed but don't fragment set" ICMP. As far as I know the suggested workarounds for that one are reducing your own MTU (causing TCP SYN to send a lower MSS, and thus still preventing fragmentation).

This is not as uncommon as
we would like it to be. I actually have done some research to back this
claim while writing p0f and encountering some strange discrepancies in
observed signatures.

Like I said, I have never heard of that one. Do you have names of routers that strip the DF flag?

I do not think this is a threat one should lose sleep over, either, but the fact is, it makes session data injection considerably easier than with ISN guessing.

Can't judge about that one. I will be happy to get answers to the other questions, however.

Shachar

--
Shachar Shemesh
Open Source integration & consulting
Home page & resume - http://www.shemesh.biz/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michal Zalewski <lcamtuf@ghettot.org>
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Shachar Shemesh <fulldisc@sun.consumer.org.il>
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michal Zalewski <lcamtuf@ghettot.org>

Prev by Date: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Next by Date: [Full-Disclosure] The *real* reason the pivx unpatched IE flaws page was taken offline?
Previous by thread: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Next by thread: [Full-Disclosure] Re: A new TCP/IP blind data injection technique?
Index(es):
- Date
- Thread