Educause Security Discussion mailing list archives
Re: Fwd: [VulnWatch] TCP reset vulnerability
From: "Christopher E. Cramer" <chris.cramer () DUKE EDU>
Date: Tue, 20 Apr 2004 16:37:01 -0400
as i read it, there are two specific things to note: * since the SEQ # for the RST must be within the TCP window and tcp windows can be as large as 2^16 bytes, the probability of sending a valid RST (assuming you know the src/dst ip and port) is not 1 in 2^32, but instead as large as 1 in (2^32 / 2^16) or 1 in 2^16 * that's still pretty small, but for long running, predictable connections (e.g. BGP) it could mean that (on average) one could send as few as 2^15 RSTs before expecting the connection to be torn down. other issues mentioned, like data insertion, are much less likely because in order to insert data at a precise point, one would need to know the exact SEQ numbers and would have the original 1 in 2^32 problem. that's how i read it. anyone else see anything more worrisome? thanks -c On Tue, 2004-04-20 at 15:09, Steve Worona wrote:
I felt the same way, and then I read this part of the report:Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. ... The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/2**32 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The window makes TCP reset attacks practicable.So is this a relevant new discovery? Or old news? Steve ----- At 1:25 PM -0500 4/20/04, Gene Spafford wrote:Gosh, I keep feeling deja vu all over again. :-) This was a problem that was extensively discussed about 5 or 6 years ago.... Why is it rearing its head again? Why do we keep seeing the same problems again and again and again......? ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Fwd: [VulnWatch] TCP reset vulnerability H. Morrow Long (Apr 20)
- <Possible follow-ups>
- Re: Fwd: [VulnWatch] TCP reset vulnerability Gene Spafford (Apr 20)
- Re: Fwd: [VulnWatch] TCP reset vulnerability Steve Worona (Apr 20)
- Re: Fwd: [VulnWatch] TCP reset vulnerability Gene Spafford (Apr 20)
- Re: Fwd: [VulnWatch] TCP reset vulnerability Christopher E. Cramer (Apr 20)