Bugtraq mailing list archives
Re: tcp/ip DoS vulnerability - possibly what Guardent is talking about
From: David LaPorte <dlaporte () CCS NEU EDU>
Date: Wed, 14 Mar 2001 08:50:30 -0500
Bert, The subject of this paper seems very close to what you are talking about - check out the Optimistic ACKing section. You may have already seen it, since it appeared on Ars Technica in May of last year. The were thinking of terms of faster downloads, rather than a DoS attack, but the concept is the same. http://arstechnica.com/reviews/2q00/networking/networking-4.html#optimistic%20acking http://www.cs.washington.edu/homes/savage/papers/CCR99.pdf David LaPorte -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of bert hubert Sent: Monday, March 12, 2001 5:29 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: tcp/ip DoS vulnerability - possibly what Guardent is talking about On Mon, Mar 12, 2001 at 09:50:08AM -0500, Steven M. Bellovin wrote on NANOG
Any details? Any incidents using the exploit guardent has identified?Not to my knowledge... The folks at Guardent are talking to CERT and to various vendors about the problem before releasing any details.
The 50.000 foot view:
There is a further vulnerability in TCP/IP if you can determine the
Initial
Sequence Number without actually starting a connection. By exploiting your
knowledge of the remote host, a telephone modem user can cause webservers
to
become massive Denial of Service agents, targeting arbitrary targets. Lots
of consumer editions of windows come with easily guessable sequence
numbers.
I actually tried this and it works, but because I was busy with another
project (see .sig), I neglected to share it with the world. However, as
Guardent says, it is pretty hard to actually do this. Once the exploit is
out, it becomes far easier. It took me 2 days of non-stop coding to get it
to work.
I'm not sure if this is what Guardent means, but I suspect it is.
In more detail:
A regular HTTP TCP/IP session looks (modulo some details - read Stevens
TCP/IP Illustrated for full explanation) like this:
Browser computer Server Computer
----------------------------------------------------
SYN, my sequence number is 25
SYN|ACK, my number is 14
[25] GET /bigfile
[14] ACK up til 25
[14] 500 bytes of bigfile
[514] 500 more bytes
[38] ACK up til 514
[1014] 1000 more bytes
[2014] 1000 more bytes
[38] ACK up til 2014
[3014] 1000 more bytes
[4014] 1000 more bytes
[38] ACK up til 4014
********************************************************************************
Now the important bit: the Server Computer sends at the rate that
properly
received data is ACKnowlegded.
********************************************************************************
Normally, the only thing that a receiving computer can achieve is send
ACKs
more rapidly then data is actually coming in, and thereby DoS itself. Not
very interesting.
Now, if you are able to guess the number '14' above, and you know the
packet
sizes a server will produce, you can invent ACKs from arbitrary source IP
addresses. The Server Computer doesn't notice anything interesting, and
blasts out data at speeds possibly exceeding its interface or line speed.
********************************************************************************
If you can create fake ACKnowlegdements, you determine the amount of
data
generated. If you fake them rapidly, this is called Denial of Service.
********************************************************************************
The dangerous bit is that you can now DoS others. Just produce ACK packets
that look like they were produced by your desired target, and blast away.
If media people want to have a fuller understanding, please contact me. I
am
more then willing to explain at length if it helps prevent incorrect
reporting.
Regards,
bert hubert
--
http://www.PowerDNS.com Versatile DNS Services
Trilab The Technology People
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
Current thread:
- Re: tcp/ip DoS vulnerability - possibly what Guardent is talking about David LaPorte (Mar 14)