Full Disclosure mailing list archives
Re: Reflection Scan: an Off-Path Attack on TCP
From: xD 0x41 <secn3t () gmail com>
Date: Thu, 19 Jan 2012 13:22:35 +1100
On 18 January 2012 09:45, Jan Wrobel <wrr () mixedbit org> wrote:
Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to asses applicability of the method in real-life scenarios. The paper in ps and pdf is available at http://mixedbit.org and http://arxiv.org/abs/1201.2074 Proof of concept: https://github.com/wrr/reflection_scan Thanks, Jan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Very cool :) Thanks for showing this as a 'type' ofsequencing,id love to test this with winBITS and see what makes a difference in there...but yea, nice stuff from the snippets i have read and could comprehend without making a packetting app :P hehe..great work, and great paper for ANY hat to wear. Might have to try it oneday and see if it is as effective as it seems! great stuff tho, anything todo with bugs within TCP-IP stacks, should be al;ways encouraged... thanks for the encouragement :-) Cheers,and Ill maybe add more on this and another persons pi3.com.pl ) tcp ip session hijacking, wich people have even said, is impossible... i guess they should find and watch that video, or just ask the author of the blog, to explain it more...nmaybe would have them something to actually see as a 'p0c'.... anyhow, many thanks in your input and, again any futher addons and appendices to the papers just, let the list know, and ill makesure the topic maybe gets a better coverage, as, this is also a topic many ppl called me a wanker on...or maybe one of them :s megh, i dont count now,. i just read the msgs from 3 ppl and delete the rest :) best way to use fd, is to take what your iven, and stfu... i dont know why somany ppl seem to call me this, whebn, i am only interested, in bugs i can actually exploit...yet, somuch bullsh1t on this forum, they have forgotten what a bug is, and,. what a poc is./....and now, these are 'design flaws' lol....anyhow, pease keep up the ressearch, we like it! Oh thats, the ppl like, 3 of ypou (maybe) who actually, seem cool ;) You also do, and your on a great topic, dont let idiots pick out any flaws in anything on this subject, coz believe me, behind every trolling ive been thru, that was the worst when i spoke about, methods of hijacking tcp ip stack....and did not give out the poc...well, now, the poc is available to see on video for those who are not idiots and abuse, but actually, want to see it working :) Ok, thats my 2bob, dont expect any answers, unless your a VERY well known person, i will auto delete it, so, i hope to see you in my channel, anytime online... and there, we could discuss ANYTHING :) Why some of you are there, and see what i do, i guess are not the haters on this list but, also, they get what 'theyre given' ,wich is ALOTTTT in the cases where people are cool....so, i guess the moral of the story is, dont smash the stack toooo hard.... enjoy budddy, im probably one of few who would even understand it but anyghow :P Thanks!I Drew. PS: NOT a top poster anymore, omg, whats this, not using Glow XD , what is this, madness!! omg! Seriously folks, you should all read more of people like this's work, and then maybe, contribute some of your own frigging srcs, instead of relying on ppl like kcope to fist fuck you, wich is fine bvy me :> i hope he fucks this list over, nonstop till your arses bleed, but hey, thats JUST me! love you all long fucking time arseholes, goto hell, and dont even try taklkin to me, ever, if your not already in the addy book, you will fkn known about it and oh, i CAN ddos you, and i WILL, so, anytime you like to shit me, in private, and wish to test your fwall, go hard, i dun care, i should say, we...but,. it really doesnt matter, coz, i dont even have to press the buttons for the wankers who have al;ready flamed me in past anymore, you will only feel what i love best, TCP./IP and, possibly UDP! Have a fucking GREAT day arsefucker. Oh and, lickers are cool so, no offence there nor for them :) PEACE TO YOU MOFOS // XD #HAXNET FUCKUALL _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Reflection Scan: an Off-Path Attack on TCP Jan Wrobel (Jan 18)
- Re: Reflection Scan: an Off-Path Attack on TCP xD 0x41 (Jan 18)
- Re: Reflection Scan: an Off-Path Attack on TCP Robert Kim App and Facebook Marketing (Jan 18)
- Re: Reflection Scan: an Off-Path Attack on TCP xD 0x41 (Jan 18)
- Re: Reflection Scan: an Off-Path Attack on TCP Jason Hellenthal (Jan 19)
- Re: Reflection Scan: an Off-Path Attack on TCP Robert Kim App and Facebook Marketing (Jan 18)
- Re: Reflection Scan: an Off-Path Attack on TCP Marsh Ray (Jan 19)
- Re: Reflection Scan: an Off-Path Attack on TCP xD 0x41 (Jan 18)