Full Disclosure mailing list archives
Re: A new TCP/IP blind data injection technique?
From: Shachar Shemesh <fulldisc () sun consumer org il>
Date: Thu, 11 Dec 2003 10:56:01 +0200
Michal Zalewski wrote:
This attack is timing sensitive, route sensitive, and is highly unreliable. Those problems aside, however, there is a more fundemental problem. You need to time each and every fragmented packet you send to always arrive before or after (depending on receiving machine's IP stack) the corresponding legit fragment, yet before the entire packet is assembled. All of that, without having any knowledge about either side of the communication parties.Consider the following: Bob sends a TCP/IP ACK packet to Alice, with a data payload and within an established session, of which session the attacker is aware (attacker-induced or server to server traffic, perhaps). Bob's packet exceeds the MTU somewhere en route (be it on some WAN interface, or on a local PPPoA, PPPoE or VPN interface), a situation not quite unheard of; the IP packet gets fragmented in order to be delivered successfully.
How do you get the legit connection you are trying to overload to fragment at the place you mention. Most TCP/IP connections employ PMTU discovery, and then split the stream at layer 4, rather then perform Layer 3 assembly. As a result, fragments in TCP/IP communication is extremely rare. The probes I know of show that major sites hardly ever see any fragments at all, outside of deliberate attacks.
Even if you found a victim that does not employ PMTU, fragmentation is still a rare occurance.
Even if you found a victim that does not employ PMTU, connecting to a machine where the route requires fragmentation, that splitting is performed by the routers en-route. Most routers split the packet with the large chunk being at the begining. Assuming MTU can never go below ~300 bytes (a conservative number - most will say 512), this means the entire IP and TCP headers are in the same fragment, as well as quite a chunk of the actual TCP payload.
All in all, an interesting attack vector, but I'm not sure how practical it is.
Shachar -- Shachar Shemesh Open Source integration & consulting Home page & resume - http://www.shemesh.biz/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- A new TCP/IP blind data injection technique? Michal Zalewski (Dec 10)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 10)
- Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- Re: A new TCP/IP blind data injection technique? Shachar Shemesh (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
- Re: A new TCP/IP blind data injection technique? Shachar Shemesh (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
- Re: A new TCP/IP blind data injection technique? Barney Wolff (Dec 12)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
- Re: A new TCP/IP blind data injection technique? Stephen Frost (Dec 12)
- Re: A new TCP/IP blind data injection technique? Jeff Kell (Dec 12)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 10)
- Re: A new TCP/IP blind data injection technique? Mikael Abrahamsson (Dec 11)