Bugtraq mailing list archives
Re: A new TCP/IP blind data injection technique?
From: Stephen Frost <sfrost () snowman net>
Date: Fri, 12 Dec 2003 12:32:16 -0500
* Michal Zalewski (lcamtuf () ghettot org) wrote:
B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it seems that there is a notable (albeit unidentified at the moment) population of systems that do consider it to be optional when set to zero, or do not verify it at all. I have conducted a quick check as follows: - I have acquired a list of 300 most recent unique IPs that had established a connection to a popular web server. - I have sent a SYN packet with a correct TCP checksum to all systems on the list, receiving 170 RST replies. - I have sent a SYN packet with zero TCP checksum to all systems on the list, receiving 12 RST replies (7% of the pool). As such, there seems to be a reason for some concern, even with random IP IDs, since it only takes one RFC-ignorant party for the attack against a session to succeed.
Is it possible the RSTs you're seeing are from firewalls which send an RST due to rules in the firewall? It could be that those 12 hosts wouldn't actually accept a connection where the SYN packet has a zero TCP checksum. Admittedly, this is still RFC ignorance but it may not be an actual attackable vector. Could a test be made by modifying an active web server to send SYN+ACK's w/ TCP checksum of 0 after having received a SYN and see if any of the clients respond? This would likely make the server unreachable for most people, of course. Perhaps construct a setup where a SYN+ACK w/ an invalid TCP checksum is sent and one with a valid TCP checksum and have some method to determine if the 0 checksum is accepted. Just some thoughts. Stephen
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: A new TCP/IP blind data injection technique?, (continued)
- Re: A new TCP/IP blind data injection technique? Nick Cleaton (Dec 11)
- Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
- Re[2]: A new TCP/IP blind data injection technique? Marius Huse Jacobsen (Dec 13)
- Breaking the checksum (a new TCP/IP blind data injection technique) Michal Zalewski (Dec 15)
- Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 11)
- Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)
- Message not available
- Message not available
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
- Re: A new TCP/IP blind data injection technique? Barney Wolff (Dec 12)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
- Re: A new TCP/IP blind data injection technique? Stephen Frost (Dec 12)
- Message not available
- Re: A new TCP/IP blind data injection technique? Nick Cleaton (Dec 11)
- RE: A new TCP/IP blind data injection technique? Michael Wojcik (Dec 11)
- Re: A new TCP/IP blind data injection technique? stanislav shalunov (Dec 12)