Re: Massive stupidity (Was: Re: TCP vulnerability)

["Alexei Roudnev" <alex () relcom net>]

Assuming that he do not know port number and must try 20 - 40 ports, it
takes 200 * 10 = 2000 seconds to resert a single session... Useless except a
very special cases 9such as a big community decided to knock down SCO, for
example).



> At 05:09 PM 20/04/2004, Richard A Steenbergen wrote:
>
> > party to know which side won the collision handling. Therefore you need
> > 262144 packets * 3976 ephemeral ports (assuming both sides are jnpr,
again
> > worst case) * 2 (to figure out who was the connecter and who was the
> > accepter) = 2084569088 packets to exhaustively search all space on this
> > one single Juniper to Juniper session. Now, lets just for the sake of
> > argument say that the router is capable of actively processing 10,000
> > packets/sec of rst (a fairly exagerated number) and still have this be
> > considered a tcp attack instead of a straight DoS against the routing
> > engine. This will still take 208456 seconds, or 57.9 hours.
> <snip>
> I dont understand why the large differences in claims
>
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
>
> says
>     Modern operating
>     systems normally default the RCV.WND to about 32,768 bytes. This
>     means that a blind attacker need only guess 65,535 RST segments
>     (2^^32/(RCV.WND*2)) in order to reset a connection. At DSL speeds
>     this means that most connections (assuming the attacker can
>     accurately guess both ports) can be reset in under 200 seconds
>     (usually far less). With the rise of broadband availability and
>     increasing available bandwidth, many Operating Systems have raised
>     their default RCV.WND to as much as 64k, thus making these attacks
>     even easier.
>
>
> Also, with the various 'bots' at peoples disposal, why the assumption the
> attack would not be distributed.
>
>          ---Mike