[Top] [All Lists]

Re: tcp vulnerability? haven't seen anything on it here...

To: alex@xxxxxxxxxxxx
Subject: Re: tcp vulnerability? haven't seen anything on it here...
From: Horst von Brand <vonbrand@xxxxxxxxxxxx>
Date: Thu, 22 Apr 2004 13:38:42 -0400
Cc: jamal <hadi@xxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, netdev@xxxxxxxxxxx
In-reply-to: Your message of "Thu, 22 Apr 2004 11:27:05 -0400." <Pine.LNX.4.44.0404221121230.2738-100000@xxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
alex@xxxxxxxxxxxx said:
> > > > Unless i misunderstood: You need someone/thing to see about 64K
> > > > packets within a single flow to make the predicition so the attack
> > > > is succesful. Sure to have access to such capability is to be in a
> > > > hostile path, no? ;->
> > > No, you do not need to see any packet.

> > Ok, so i misunderstood then. How do you predict the sequences without
> > seeing any packet? Is there any URL to mentioned paper?

> You don't - just brute-force the tcp 4-tuple and sequence number. The
> attack relies on the fact that you don't have to match sequence number
> exactly, which cuts down on the search-space. (If total search space is
> 2^32, rwin is 16k, effective attack search space is 2^32/16k). Multiplied 
> by number of ephemeral ports, it becomes *feasible* but still not very 
> likely.

If everybody (or at least the bigger knots) filters spoofed traffic, this
ceases to be a problem. And that solves a shipload of other problems, so...

If the cracker has access to the connection between routers (quite unlikely
for BGP), there is other, lower-hanging, fun to be had... and in that case
they can just read the exact data from the stream, no guessing needed at
all. And no protection possible either AFAICS.
Dr. Horst H. von Brand                   User #22616
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

<Prev in Thread] Current Thread [Next in Thread>