Re: Fwd: [VulnWatch] TCP reset vulnerability

["Christopher E. Cramer" <chris.cramer () DUKE EDU>]

as i read it, there are two specific things to note:

* since the SEQ # for the RST must be within the TCP window and tcp
windows can be as large as 2^16 bytes, the probability of sending a
valid RST (assuming you know the src/dst ip and port) is not 1 in 2^32,
but instead as large as 1 in (2^32 / 2^16) or 1 in 2^16

* that's still pretty small, but for long running, predictable
connections (e.g. BGP) it could mean that (on average) one could send as
few as 2^15 RSTs before expecting the connection to be torn down.

other issues mentioned, like data insertion, are much less likely
because in order to insert data at a precise point, one would need to
know the exact SEQ numbers and would have the original 1 in 2^32
problem.

that's how i read it.  anyone else see anything more worrisome?

thanks
-c


On Tue, 2004-04-20 at 15:09, Steve Worona wrote:
> I felt the same way, and then I read this part of the report:
>
> > Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed 
> > that a successful denial of service attack was not achievable in practice. ...
> >
> > The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper 
> > "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the 
> > probability of guessing an acceptable sequence number is much higher than 1/2**32 because the receiving TCP 
> > implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The 
> > window makes TCP reset attacks practicable.
>
> So is this a relevant new discovery?  Or old news?
>
> Steve
> -----
> At 1:25 PM -0500 4/20/04, Gene Spafford wrote:
> > Gosh, I keep feeling deja vu all over again. :-)    This was a
> > problem that was extensively discussed about 5 or 6 years ago....
> > Why is it rearing its head again?   Why do we keep seeing the same
> > problems again and again and again......?
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> > http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.