ICMP vulnerabilities

[Theo de Raadt <deraadt () cvs openbsd org>]

Much more information on the ICMP vulnerabilities that allow you to blindly
tear down TCP sessions.

    http://kerneltrap.org/node/5382

Please note these are not man-in-the-middle attacks.  You can do them
blind.  Totally blind.  You do not need to know any information.

There are three attacks outlined.  They require very small numbers of
packets.

My favorite twist to this would be to slow BGP sessions down so they
(1) stay in TCP slow-start, (2) run with very small MTU.  To do both
these things requires about 128,000 icmp packets, if I recall (perhaps
we can get real figures from gont).

    a) The BGP session would effectively stall, since it cannot keep
       up with the updates.
    b) The BGP daemon would not know that the session has stalled.
       The sub-net starts to become de-syncronized.

Once you are doing very small TCP packets with slow-start, you can
slow down on your icmp attack.  You just need to re-tickle slow start
once in a while.

    c) Eventually the BGP daemon would notice (based on timeouts) that
       the session has stalled, and reset the connection.

When that happens, it will start a new BGP session.  You know this
has happened because over BGP you can see the peer leaving.

    d) the BGP daemon creates a new session.

You bombard it with ICMP again.

Repeat a few times -- and everyone will now consider that peer to be
flapping, and you have successfully taken an ISP off the net.


Please read the article.  My take on this is that there are people
who don't want to fix this.