Re: the next generation of nuke.c

[smb () research att com (smb () research att com)]

         More of a denial of service attack, but with the current discussion on
         bugtraq/firewalls regarding sequence number guessing, I thought I'd pu
        t
         forward a method on killing an established TCP connection, besides the
         (mis)usage of ICMP unreachable messages.  It would also appear, that
         although this attack is more difficult to launch, it would also be mor
        e
         difficult to prevent.

         Since it's possible to guess sequence numbers of the packets in a TCP
         connection, it seems it would be possible to then send a fake FIN mess
        age to
         our target, followed directly by an ACK to acknowledge the closing
         of the connection.

         If you wanted to kill a connection, all you would have to do is flood 
        one
         of the ends with FIN/ACK packets until you get the sequence numbers
         correct.

         - Oliver

Well, RST is more definitive than FIN, somehow...

That said, the attack you cite is harder to carry out than you think.
It's easy to guess the next starting sequence number for a connection;
it's much harder to know what the sequence number status is of an existing
connection unless you're sniffing the wire.  You'd also have to know
what the client's port number was; again, without sniffing the wire, that's
hard to come by, unless one of the two sites has an overly-cooperative
SNMP server.