Bugtraq mailing list archives
re:Breaking the checksum (a new TCP/IP blind data injection technique
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 15 Dec 2003 20:07:19 +0100 (CET)
On Mon, 15 Dec 2003 LARSJ () inel gov wrote:
This is a good line of thought that needs to be re-addressed every now and then, but I can remember discussing this exact attack ten years ago. There's even an RFC on it. RFC 1858 if memory serves.
Lars, Nope. The set of attacks discussed in RFC1858 is indeed old, but has nothing to do with the TCP/IP injection vector I have described. The RFC1858 attacks describe firewall-bypassing attacks: "tiny fragment attack", where a malicious TCP or UDP packet is sent in chunks too small to be properly analyzed by the device; and "source porting", where the header of a previously analyzed packet is modified by an overlapping chunk. Both techniques are old, well known and easy to prevent (and, indeed, prevented by all modern implementations). The attack I described, for a change, is not aimed at bypassing a firewall, and seems to be pretty damn impossible to fix without breaking some functionality. Cheers, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-12-15 20:02 -- http://lcamtuf.coredump.cx/photo/current/
Current thread:
- re:Breaking the checksum (a new TCP/IP blind data injection technique Michal Zalewski (Dec 15)