IDS mailing list archives
Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq)
From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 15 Dec 2003 10:45:03 -0500
At 04:49 AM 12/13/2003 -0800, Marius Huse Jacobsen wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Michal, Thursday, December 11, 2003, 4:41:13 PM, you wrote:MZ> B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), itMZ> seems that there is a notable (albeit unidentified at the moment) MZ> population of systems that do consider it to be optional when set to MZ> zero, or do not verify it at all. I have conducted a quick check MZ> as follows: MZ> - I have acquired a list of 300 most recent unique IPs that MZ> had established a connection to a popular web server. MZ> - I have sent a SYN packet with a correct TCP checksum to all MZ> systems on the list, receiving 170 RST replies. MZ> - I have sent a SYN packet with zero TCP checksum to all systems on MZ> the list, receiving 12 RST replies (7% of the pool). Brings me an idea... how does IDSes react to this sort of thing? Could this be used for IDS evasion? "Overwriting" the attack packets with zero packets that has a 0 checksum, or sending the attack in packets with a tcp checksum of 0... - -- Best regards, Marius mailto:mahuja () c2i net
Most NIDS (NFR, Snort, Dragon, .etc) drop this sort of TCP packet. If they did not, it could be used for insertion. On the insertion side, NIDS that are not aware of the MTU for a network, (like in front of a VPN) don't know if a packet of 1500 bytes will get fragmented or not. If you mark such a packet with the 'Dont Fragment' bit, the NIDS may pick up something that never makes it to the target. I've heard rumors of some NIDS-bypass tools that scan a target network to determine MTU to various target IPs, and then launch specific attacks intermixed with bogus traffic that gets dropped in front of the VPN or whatever device causing the small MTU. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Marius Huse Jacobsen (Dec 15)
- Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Ron Gula (Dec 15)