Re: Fwd: [VulnWatch] TCP reset vulnerability

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

At 3:09 PM -0400 4/20/04, Steve Worona wrote:
> I felt the same way, and then I read this part of the report:
>
> > Although denial of service using crafted TCP packets is a well
> > known weakness of TCP, until recently it was believed that a
> > successful denial of service attack was not achievable in practice.
> > ...
> >
> > The discoverer of the practicability of the RST attack was Paul A.
> > Watson, who describes his research in his paper "Slipping In The
> > Window: TCP Reset Attacks", presented at the CanSecWest 2004
> > conference. He noticed that the probability of guessing an
> > acceptable sequence number is much higher than 1/2**32 because the
> > receiving TCP implementation will accept any sequence number in a
> > certain range (or "window") of the expected sequence number. The
> > window makes TCP reset attacks practicable.
>
> So is this a relevant new discovery?  Or old news?

Back in the days when sequence number prediction was simpler there
were several demonstrations of reset attacks.    I seem to recall
(but don't have access to my books to check) that Simson Garfinkel
and I wrote such a tool and tested it, then documented it in one of
the earlier editions of our books.

I know we had one here in-house, because the students were using it
against each other until I made them stop. :-)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.