TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq)

[Marius Huse Jacobsen <mahuja () c2i net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Michal,

Thursday, December 11, 2003, 4:41:13 PM, you wrote:

MZ>    B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
MZ>       seems that there is a notable (albeit unidentified at the moment)
MZ>       population of systems that do consider it to be optional when set to
MZ>       zero, or do not verify it at all. I have conducted a quick check
MZ>       as follows:

MZ>       - I have acquired a list of 300 most recent unique IPs that
MZ>         had established a connection to a popular web server.
MZ>       - I have sent a SYN packet with a correct TCP checksum to all
MZ>         systems on the list, receiving 170 RST replies.
MZ>       - I have sent a SYN packet with zero TCP checksum to all systems on
MZ>         the list, receiving 12 RST replies (7% of the pool).

Brings me an idea... how does IDSes react to this sort of thing? Could
this be used for IDS evasion?

"Overwriting" the attack packets with zero packets that has a 0
checksum, or sending the attack in packets with a tcp checksum of 0...

- --
Best regards,
 Marius                            mailto:mahuja () c2i net

-----BEGIN PGP SIGNATURE-----

iQA/AwUBP9sKz5fZ2CSWpu1rEQKELACfdNDCxDGFI9zy6vXhQBjPo+n2ldkAoITH
KYuPex1YxRXVL7aI+mUQ6dq9
=9yv+
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
---------------------------------------------------------------------------