IDS mailing list archives
TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq)
From: Marius Huse Jacobsen <mahuja () c2i net>
Date: Sat, 13 Dec 2003 04:49:19 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Michal, Thursday, December 11, 2003, 4:41:13 PM, you wrote: MZ> B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it MZ> seems that there is a notable (albeit unidentified at the moment) MZ> population of systems that do consider it to be optional when set to MZ> zero, or do not verify it at all. I have conducted a quick check MZ> as follows: MZ> - I have acquired a list of 300 most recent unique IPs that MZ> had established a connection to a popular web server. MZ> - I have sent a SYN packet with a correct TCP checksum to all MZ> systems on the list, receiving 170 RST replies. MZ> - I have sent a SYN packet with zero TCP checksum to all systems on MZ> the list, receiving 12 RST replies (7% of the pool). Brings me an idea... how does IDSes react to this sort of thing? Could this be used for IDS evasion? "Overwriting" the attack packets with zero packets that has a 0 checksum, or sending the attack in packets with a tcp checksum of 0... - -- Best regards, Marius mailto:mahuja () c2i net -----BEGIN PGP SIGNATURE----- iQA/AwUBP9sKz5fZ2CSWpu1rEQKELACfdNDCxDGFI9zy6vXhQBjPo+n2ldkAoITH KYuPex1YxRXVL7aI+mUQ6dq9 =9yv+ -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Marius Huse Jacobsen (Dec 15)