Re: tcp vulnerability? haven't seen anything on it here...

alex_at_pilosoft.com
Date: 04/22/04

  • Next message: raven_at_themaw.net: "Re: 2.6.6-rc2-mm1" 
    Date:	Thu, 22 Apr 2004 11:27:05 -0400 (EDT)
To: jamal <hadi@cyberus.ca>

    > > > Unless i misunderstood: You need someone/thing to see about 64K
    > > > packets within a single flow to make the predicition so the attack
    > > > is succesful. Sure to have access to such capability is to be in a
    > > > hostile path, no? ;->
    > > No, you do not need to see any packet.
    > >
    >
    > Ok, so i misunderstood then. How do you predict the sequences without
    > seeing any packet? Is there any URL to mentioned paper?
    You don't - just brute-force the tcp 4-tuple and sequence number. The
    attack relies on the fact that you don't have to match sequence number
    exactly, which cuts down on the search-space. (If total search space is
    2^32, rwin is 16k, effective attack search space is 2^32/16k). Multiplied
    by number of ephemeral ports, it becomes *feasible* but still not very
    likely.

    > > Inter-provider BGP is long-lived with close to fixed ports, which is
    > > why it has caused quite a stir.
    >
    > Makes sense. What would be the overall effect though? Route flaps?
    Yep.

    > > Nevertheless, number of packets to kill the session is still *large*
    > > (under "best-case" for attacker, you need to send 2^30 packets)...

    -alex

    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: raven_at_themaw.net: "Re: 2.6.6-rc2-mm1"

    Relevant Pages

    • Re: tcp vulnerability? havent seen anything on it here...
      ... >> windows, the propability of guessing the right sequence number is not ... sending a corrective "ACK" packet back. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • RE: IP Session Hijacking And Spoofing
      ... can use B as the bogus source address. ... A sends a SYN packet to T with B's address as the source to open a TCP ... Any sequence number will work in this packet. ... IP Session Hijacking And Spoofing ...
      (Security-Basics)
    • Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
      ... >> FreeBSD host is sending a FIN to close an established connection, ... >> the peer host adding the window size advertised in the FIN packet to the ... >> sequence number acknowledged in the FIN packet, and using the sum as the ...
      (FreeBSD-Security)
    • Re: TCPIP sequence number question
      ... How will the receiver behave upon receiving the packet with sequence ... Since TCP uses a sliding window, a lot of data can be outstanding at the time of a retransmission. ... And this is normally all regulated by the amount of retransmissions you get. ...
      (comp.os.vms)
    • Re: recvfrom() strange operation
      ... I have only one escape way for this kind of UDP operation. ... TCP receive you always send data to upper level in sequence, ... In case of UDP you do not know the packet ...
      (comp.os.linux.development.system)
    Loading