Full Disclosure mailing list archives
Re: A new TCP/IP blind data injection technique?
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Thu, 11 Dec 2003 10:46:04 +0100 (CET)
On Thu, 11 Dec 2003, Shachar Shemesh wrote:
This attack is timing sensitive, route sensitive, and is highly unreliable.
So is all session injection, but we have seen practical attacks in the past. A very popular software to drop Windows 9x users from IRC servers by performing a RST packet injection into an existing session worked surprisingly well. Although the problems you mention make some attacks very difficult, in many other cases, this is not an issue. Server-to-server communications is often either completely predictable, or can be user-induced (and still benefit him in some way when compromised). In other cases, a low success ratio is not a problem when you want to just disrupt communications at some point, and do not care about the exact packet for which this happens (for all sessions that last for a while).
Those problems aside, however, there is a more fundemental problem. You need to time each and every fragmented packet you send to always arrive before or after (depending on receiving machine's IP stack) the corresponding legit fragment, yet before the entire packet is assembled.
Not really. You can just push a non-zero offset packet with no MF set, and the reassembly will end immediately, without waiting for the remaining chunks.
Most TCP/IP connections employ PMTU discovery, and then split the stream at layer 4, rather then perform Layer 3 assembly.
It is a matter of OS configuration. Many systems indeed to deploy PMTU recently. There is a catch, however: some routers, IP-over-nnn tunnels, and some firewalls strip and/or ignore DF flag. This is not as uncommon as we would like it to be. I actually have done some research to back this claim while writing p0f and encountering some strange discrepancies in observed signatures.
Even if you found a victim that does not employ PMTU, fragmentation is still a rare occurance.
I would disagree, but the point of my post is not to get involved in a pissing contest in making unfounded claims, but to open a discussion. I do not think this is a threat one should lose sleep over, either, but the fact is, it makes session data injection considerably easier than with ISN guessing. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-12-11 10:37 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- A new TCP/IP blind data injection technique? Michal Zalewski (Dec 10)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 10)
- Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- Re: A new TCP/IP blind data injection technique? Shachar Shemesh (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
- Re: A new TCP/IP blind data injection technique? Shachar Shemesh (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
- Re: A new TCP/IP blind data injection technique? Barney Wolff (Dec 12)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
- Re: A new TCP/IP blind data injection technique? Stephen Frost (Dec 12)
- Re: A new TCP/IP blind data injection technique? Jeff Kell (Dec 12)
- Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 10)
- Re: A new TCP/IP blind data injection technique? Mikael Abrahamsson (Dec 11)