On Mon, Mar 12, 2001 at 11:25:35PM +0100, bert hubert wrote:
The 50.000 foot view: There is a further vulnerability in TCP/IP if you can determine the Initial Sequence Number without actually starting a connection. By exploiting your knowledge of the remote host, a telephone modem user can cause webservers to become massive Denial of Service agents, targeting arbitrary targets. Lots of consumer editions of windows come with easily guessable sequence numbers.
...
Now, if you are able to guess the number '14' above, and you know the packet sizes a server will produce, you can invent ACKs from arbitrary source IP addresses. The Server Computer doesn't notice anything interesting, and blasts out data at speeds possibly exceeding its interface or line speed.
And since the "victim" will have the current sequence number for inbound data, what would keep it from (correctly) sending an RST and tearing down this false connection? Also, even given the assumption that Windows is easily ISN spoofable (which I would certainly hope is not the case, I thought everyone learned that lesson years ago), I don't see many consumer editions of windows being readily available to hackers, running webservers with large files on fast uplinks. I think any kind of useful ISN-guessing based DoS would require sniffing access to the server in question. It might be possible to "speed up" the transmission of an already established connection inproperly for a short time, but this would quickly fall over and die. It might also be possible to trick the "big server" into sending more data to a host which does not exist and cannot reply then it can successfully deliver outbound for an extremely short time, but I think if your "big server" is ISN-guessable you have bigger problems to worry about. And if the hacker does have ISN-sniffable access, why would it not be easier for them to launch the attack directly from their compromised machine on the same network? BTW If you wanted to force the packets to a known size, this could easily be done with a small MSS option. Infact its probably far deadlier to establish a real connection to a big webserver with a tiny MSS and watch it send tons of small packets. To my knowledge there is no (reasonable) minimium size limit for a requested MSS? -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Richard, I do not claim that this trick will bring down the world. But it is yet another argument for proper ISN-generation. On Mon, Mar 12, 2001 at 06:09:32PM -0500, Richard A. Steenbergen wrote:
And since the "victim" will have the current sequence number for inbound data, what would keep it from (correctly) sending an RST and tearing down this false connection?
The victim need not be an actual running server. There are lots of IP addresses that you can send data to at will, without receiving RST or ICMP packets deterring you. You still take down their connection though..
Also, even given the assumption that Windows is easily ISN spoofable (which I would certainly hope is not the case, I thought everyone learned that lesson years ago), I don't see many consumer editions of windows
I recall bugtraq postings in which Microsoft stated, or was reported to have stated, that they release patches for server editions of their OS to have proper ISN generation, but wouldn't bother for consumer editions.
being readily available to hackers, running webservers with large files on fast uplinks.
Well, when I was at university, this certainly was the case. Lots of Windows95 machines running the 'Microsoft Personal Webserver'.
I think any kind of useful ISN-guessing based DoS would require sniffing access to the server in question. It might be possible to "speed up" the transmission of an already established connection inproperly for a short time, but this would quickly fall over and die. It might also be possible
Have you tried this? I tested with the famously slow 'DEMOS' modems as used by Casema Internet. These connect to your computer using a serial cable. Any single cable segment has at most 156kbit/s available, for on average 25 customers. Yes. Yet I was able to spoof up to half a megabit if traffic without trying really hard.
BTW If you wanted to force the packets to a known size, this could easily be done with a small MSS option. Infact its probably far deadlier to establish a real connection to a big webserver with a tiny MSS and watch it send tons of small packets. To my knowledge there is no (reasonable) minimium size limit for a requested MSS?
Actually, I spend a lot of time today for a customer debugging problems with 86 byte MSS packets in combination with transparent proxying. It doesn't work that well, not yet sure why. Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Services Trilab The Technology People 'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said:
And since the "victim" will have the current sequence number for inbound data, what would keep it from (correctly) sending an RST and tearing down this false connection?
And THAT my friends, was the *original* purpose for a TCP SYN flood - it wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim so you could forge a connection and NOT get nailed by an RST. I'm sure that Steve Bellovin can point us at the original discussion of this, which was *ages* ago. I remember hearing that Kevin Mitnick used that (in addition to other tricks) against Shimomura's machines and thinking "Hmm.. so it's *not* just a theoretical attack anymore..." -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
participants (3)
-
bert hubert
-
Richard A. Steenbergen
-
Valdis.Kletnieks@vt.edu