Bugtraq mailing list archives
Watcher page moved (and ObBug)
From: mcn () EnGarde com (Mike Neuman)
Date: Fri, 31 Mar 1995 11:11:10 -0600
Apparently a large number of people have complained about the Watcher page, and so LANL has forced me to move it. You can find a link to the new location from either of the pages listed in my sig, OR you can go directly to it at: http://129.186.203.202/watcher.html (That space was graciously provided by Infostructure Inc.) ObBug: ICMP bombing is old, but still works. The problem is when a host receives an ICMP host (or net) unreachable, it has no way of verifying whether or not the packet came from a real gateway between it and the destination. ICMP packets SHOULD, however, include the first 64 bytes of the datagram which is referenced by the packet. In other words, the ICMP host unreachable message in response to a TCP connection SHOULD contain the TCP ports AND sequence number of the connection which was unreachable. By using the ports and sequence number, a verification of the authenticity could be performed by the IP software. Unfortunately, most IP implementations (notably Sun's) does no verification and immediately drops ANY connection between the two hosts listed in the ICMP packet. The fix is to not be sloppy. Even simply looking at the port numbers isn't enough verification as it would only require maybe 2000 spoofed ICMP host unreachable packets to shut down any connection from a machine to a known service. Instead, the sequence number could be compared to the sequence numbers sent and ACKd for the low end, and sequence numbers sent but NOT ACKd for on the high end. A simple range comparison... -Mike -- Mike Neuman (mcn () EnGarde com) - EN GARDE SYSTEMS - Computer Security Consulting http://www.c3.lanl.gov/~mcn - http://www.cec.wustl.edu/~dmm2/egs/egs.html =============================================================================== "Most of these should be 'void', but the people who defined the STREAMS data structures for S[ystem] 5 didn't understand data types." - Solaris source
Current thread:
- Re: MIME question..., (continued)
- Re: MIME question... Christian Wettergren (Mar 29)
- Request to Join Mailing List BRUCE.SHELDON () STATE MN US (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Re: Network Monitoring and Control (announcement) Christopher D. Heer (Mar 30)
- Network Monitoring and Control (announcement) Mike Neuman (Mar 29)
- Re: Network Monitoring and Control (announcement) root (Mar 30)
- Re: Network Monitoring and Control (announcement) Christopher Samuel (Mar 31)
- Watcher page moved (and ObBug) Mike Neuman (Mar 31)
- Re: Watcher page moved (and ObBug) Tom Fitzgerald (Mar 31)
- SATAN Download Location Bill Bradley (Mar 30)
- Re: SATAN Download Location Robert A. Pickering Jr. (Mar 31)
- TCP Sequence Number Prediction (here it is!!) Mike Neuman (Mar 30)
- Re: Network Monitoring and Control (announcement) Eric (Mar 30)
- Re: Network Monitoring and Control (announcement) root (Mar 31)
- Re: Network Monitoring and Control (announcement) Craig Metz (Mar 30)
- Re: Watcher is invasion of privacy [was: Network Monitoring and Control (announcement)] Kayvan Sylvan (Mar 31)
- Re: Network Monitoring and Control (announcement) Marc Tamsky (Mar 31)