Security Basics mailing list archives

RE: SSL and TCP RST/SYN attack

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 23 Sep 2009 11:51:20 -0700

  The attacker doesn't need to be in the same LAN, although that 
does make it easier.  But at minimum he needs to spoof the client's
address as the source of his packets, and the client's outbound 
(ephemeral) port number.  (The latter is obtainable by sniffing the
client's traffic, which may not be trivial especially if he is not
in the same LAN.)
  Nothing in this has anything to do with SSL; if it's an intrinsic
vulnerability, it's in all of TCP and not just SSL.

  I said IF, because source address and port might not be all the
attacker has to spoof for this to work.  In general, to inject his
own packets into a TCP session, the attacker is going to have to 
spoof or guess the right sequence number as well.  An attack based 
on header flags rather than payload might not have to meet this 
condition.

  About two years ago, I think, this same scenario was publicized 
as a vulnerability in BGP.  BGP, like SSL, runs on top of TCP, and
routers sharing information using BGP have long TCP sessions with 
each other that typically carry little traffic.  But a reset of
any of these sessions can cause routing information to be discarded
(with consequent notifications to other routers...) and then resent
(again with cascading effects) when the sessions are re-established.
  The recommended fix was to enable MD5 authentication of BGP
packets.  This optional feature had been available for ages, but 
not much used until that point.  Apparently only if a packet passed
this check (pretty much requiring knowledge of a pre-shared key) 
would its RST flag be honoured by the recipient.
  It probably helped that about 99% of devices speaking BGP are 
routers, many of them made by Cisco.  SSL probably encounters a 
more diverse array of TCP/IP stack implementations, and it is 
quite likely that some, at least, may look at the header flags 
without validating the payload first.
  (It seems to me that the fix for BGP violates the separation
of protocol layers UNLESS, perhaps, BGP's MD5 authentication is
really a wrapper for IPSEC's AH (Authenticated Headers) protocol
-- which is another way to prevent packets with spoofed source 
addresses from being accepted and acted upon.)

David Gillett
CISSP CCNP

-----Original Message-----
From: David Zhang [mailto:david.zhang1965 () gmail com] 
Sent: Sunday, September 20, 2009 9:30 AM
To: security-basics () securityfocus com
Subject: SSL and TCP RST/SYN attack

Hi all:
I would like to ask a question about SSL. Consider the 
situation that a man in the middle. Because he can always 
fake TCP RST/SYN packet, so he can always block the client to 
get service from the https server.

So can I say that this is an intrinsic vulnerable in SSL, as 
considering the situation that the attacker is in the same 
LAN with the client, the attacker can always block the client 
to reach his server (say on-line banking)?

Thanks
David

--------------------------------------------------------------
----------
Securing Apache Web Server with thawte Digital Certificate In 
this guide we examine the importance of Apache-SSL and who 
needs an SSL certificate.  We look at how SSL works, how it 
benefits your company and how your customers can tell if a 
site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache 
web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management 
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
e13b6be442f727d1
--------------------------------------------------------------
----------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

SSL and TCP RST/SYN attack David Zhang (Sep 23)
- Re: SSL and TCP RST/SYN attack Shreyas Zare (Sep 28)
- Re: SSL and TCP RST/SYN attack Radmilo Racic (Sep 28)
- Re: SSL and TCP RST/SYN attack Fabien Vincent (Sep 28)
- RE: SSL and TCP RST/SYN attack David Gillett (Sep 28)
- RE: SSL and TCP RST/SYN attack Ben Eisel (Sep 28)