IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq)

From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 15 Dec 2003 10:45:03 -0500
At 04:49 AM 12/13/2003 -0800, Marius Huse Jacobsen wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Michal,

Thursday, December 11, 2003, 4:41:13 PM, you wrote:
MZ> B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it 
MZ>       seems that there is a notable (albeit unidentified at the moment)
MZ>       population of systems that do consider it to be optional when set to
MZ>       zero, or do not verify it at all. I have conducted a quick check
MZ>       as follows:

MZ>       - I have acquired a list of 300 most recent unique IPs that
MZ>         had established a connection to a popular web server.
MZ>       - I have sent a SYN packet with a correct TCP checksum to all
MZ>         systems on the list, receiving 170 RST replies.
MZ>       - I have sent a SYN packet with zero TCP checksum to all systems on
MZ>         the list, receiving 12 RST replies (7% of the pool).

Brings me an idea... how does IDSes react to this sort of thing? Could
this be used for IDS evasion?

"Overwriting" the attack packets with zero packets that has a 0
checksum, or sending the attack in packets with a tcp checksum of 0...

- --
Best regards,
 Marius                            mailto:mahuja () c2i net


Most NIDS (NFR, Snort, Dragon, .etc) drop this sort of TCP packet. If
they did not, it could be used for insertion.

On the insertion side, NIDS that are not aware of the MTU for a network,
(like in front of a VPN) don't know if a packet of 1500 bytes will get
fragmented or not. If you mark such a packet with the 'Dont Fragment'
bit, the NIDS may pick up something that never makes it to the target.

I've heard rumors of some NIDS-bypass tools that scan a target network
to determine MTU to various target IPs, and then launch specific attacks
intermixed with bogus traffic that gets dropped in front of the VPN or
whatever device causing the small MTU.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com















---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: