[also posted to Bugtraq separately] On Mon, Mar 12, 2001 at 09:50:08AM -0500, Steven M. Bellovin wrote:
Any details? Any incidents using the exploit guardent has identified?
Not to my knowledge...
The folks at Guardent are talking to CERT and to various vendors about the problem before releasing any details.
The 50.000 foot view: There is a further vulnerability in TCP/IP if you can determine the Initial Sequence Number without actually starting a connection. By exploiting your knowledge of the remote host, a telephone modem user can cause webservers to become massive Denial of Service agents, targeting arbitrary targets. Lots of consumer editions of windows come with easily guessable sequence numbers. I actually tried this and it works, but because I was busy with another project (see .sig), I neglected to share it with the world. However, as Guardent says, it is pretty hard to actually do this. Once the exploit is out, it becomes far easier. It took me 2 days of non-stop coding to get it to work. I'm not sure if this is what Guardent means, but I suspect it is. In more detail: A regular HTTP TCP/IP session looks (modulo some details - read Stevens TCP/IP Illustrated for full explanation) like this: Browser computer Server Computer ---------------------------------------------------- SYN, my sequence number is 25 SYN|ACK, my number is 14 [25] GET /bigfile [14] ACK up til 25 [14] 500 bytes of bigfile [514] 500 more bytes [38] ACK up til 514 [1014] 1000 more bytes [2014] 1000 more bytes [38] ACK up til 2014 [3014] 1000 more bytes [4014] 1000 more bytes [38] ACK up til 4014 ******************************************************************************** Now the important bit: the Server Computer sends at the rate that properly received data is ACKnowlegded. ******************************************************************************** Normally, the only thing that a receiving computer can achieve is send ACKs more rapidly then data is actually coming in, and thereby DoS itself. Not very interesting. Now, if you are able to guess the number '14' above, and you know the packet sizes a server will produce, you can invent ACKs from arbitrary source IP addresses. The Server Computer doesn't notice anything interesting, and blasts out data at speeds possibly exceeding its interface or line speed. ******************************************************************************** If you can create fake ACKnowlegdements, you determine the amount of data generated. If you fake them rapidly, this is called Denial of Service. ******************************************************************************** The dangerous bit is that you can now DoS others. Just produce ACK packets that look like they were produced by your desired target, and blast away. If media people want to have a fuller understanding, please contact me. I am more then willing to explain at length if it helps prevent incorrect reporting. Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Services Trilab The Technology People 'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet