Bugtraq mailing list archives
Re: A new TCP/IP blind data injection technique?
From: stanislav shalunov <shalunov () internet2 edu>
Date: 11 Dec 2003 15:58:47 -0500
Michael Wojcik <Michael.Wojcik () microfocus com> writes:
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] However, it's a trivial matter to take the original text, the replacement text, and compute an original such that the checksum comes out "the same".True, but irrelevant to the problem at hand, where the attacker has neither the original checksum nor the original text.
There's clearly an attack here; the attacker can replace known bits in some parts of the stream with bits of his choice. This can be useful to replace, e.g., a username here or there, or a predictable URL (perhaps in a request for a news site to a proxy server). It is a weakness. What mitigates the attack is that if pMTUd is used, it won't work because all packets will have the DF bit set. Practically all modern OSes will use pMTUd. Michal pointed out in private communication that some broken firewalls will strip the DF bit off packets. Some of these same firewalls will also reduce MSS and do other things designed to prevent fragmentation; it's not clear to me how frequently fragmentation of TCP packets happens in practice. But in any case, ``broken firewalls have negative net effect on security'' is not exactly a newsflash; we knew that. Broken firewalls can also hurt performance badly and interfere with deployment of new features in the IP protocol (think ECN) and new applications. Now, UDP in its default state will not set DF and, in some cases, systems and applications are intentionally (mis)configured to send packets that will be fragmented. NFS, with frequently used block size of 4kB or 8kB, would be an important example. P.S. Since IPv6 has no notion of en-route fragmentation, it is immune. This is actually the first known to me example of a security issue where IPv6 design actually improves security. -- Stanislav Shalunov http://www.internet2.edu/~shalunov/
Current thread:
- Re[2]: A new TCP/IP blind data injection technique?, (continued)
- Re[2]: A new TCP/IP blind data injection technique? Marius Huse Jacobsen (Dec 13)
- Breaking the checksum (a new TCP/IP blind data injection technique) Michal Zalewski (Dec 15)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 11)
- Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)
- Message not available
- Message not available
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
- Re: A new TCP/IP blind data injection technique? Barney Wolff (Dec 12)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
- Re: A new TCP/IP blind data injection technique? Stephen Frost (Dec 12)
- Message not available
- RE: A new TCP/IP blind data injection technique? Michael Wojcik (Dec 11)
- Re: A new TCP/IP blind data injection technique? stanislav shalunov (Dec 12)