Re: A new TCP/IP blind data injection technique?

[Barney Wolff <barney () databus com>]

On Fri, Dec 12, 2003 at 01:41:13AM +0100, Michal Zalewski wrote:
>    B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
>       seems that there is a notable (albeit unidentified at the moment)
>       population of systems that do consider it to be optional when set to
>       zero, or do not verify it at all. I have conducted a quick check
>       as follows:
>
>       - I have acquired a list of 300 most recent unique IPs that
>         had established a connection to a popular web server.
>       - I have sent a SYN packet with a correct TCP checksum to all
>         systems on the list, receiving 170 RST replies.
>       - I have sent a SYN packet with zero TCP checksum to all systems on
>         the list, receiving 12 RST replies (7% of the pool).
>
>       As such, there seems to be a reason for some concern, even with
>       random IP IDs, since it only takes one RFC-ignorant party for the
>       attack against a session to succeed.

I suspect that in these cases the RSTs may be coming from firewalls rather
than end-hosts.  It would be more impressive and surprising if one ever
got a SYN-ACK in response.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html