In message <87hf0z59qe.fsf@lackawana.kippona.com>, Chris Beggy writes:
tcp,guardent,bellovin are all mentioned in a WSJ article on DOS and session hijacking, but I don't see anything on CERT yet.
Any details? Any incidents using the exploit guardent has identified?
Not to my knowledge... The folks at Guardent are talking to CERT and to various vendors about the problem before releasing any details. --Steve Bellovin, http://www.research.att.com/~smb
On or around Mon, Mar 12, 2001 at 09:50:08AM -0500, Steven M. Bellovin may have written:
In message <87hf0z59qe.fsf@lackawana.kippona.com>, Chris Beggy writes:
tcp,guardent,bellovin are all mentioned in a WSJ article on DOS and session hijacking, but I don't see anything on CERT yet.
Any details? Any incidents using the exploit guardent has identified?
Not to my knowledge...
The folks at Guardent are talking to CERT and to various vendors about the problem before releasing any details.
--Steve Bellovin, http://www.research.att.com/~smb
so WSJ is considered a vendor these days? -- Scott Francis scott@ [work:] v i r t u a l i s . c o m Systems Analyst darkuncle@ [home:] d a r k u n c l e . n e t PGP fingerprint 7ABF E2E9 CD54 A1A8 804D 179A 8802 0FBA CB33 CCA7 illum oportet crescere me autem minui
Hi Is there anything actually new in this exploit compared to the known TCP hijacking vulnerabilities as portrayed say in Phrack 50(Juggernaut) ? Thanks Rafi -- Rafi Sadowsky rafi@oumail.openu.ac.il Network/System/Security VoiceMail: +972-3-646-0592 FAX: +972-3-646-0454 Mangler ( :-) | FIRST-REP for ILAN-CERT(CERT@CERT.AC.IL) Open University of Israel | (PGP key -> ) http://telem.openu.ac.il/~rafi On Mon, 12 Mar 2001, Steven M. Bellovin wrote:
In message <87hf0z59qe.fsf@lackawana.kippona.com>, Chris Beggy writes:
tcp,guardent,bellovin are all mentioned in a WSJ article on DOS and session hijacking, but I don't see anything on CERT yet.
Any details? Any incidents using the exploit guardent has identified?
Not to my knowledge...
The folks at Guardent are talking to CERT and to various vendors about the problem before releasing any details.
--Steve Bellovin, http://www.research.att.com/~smb
[also posted to Bugtraq separately] On Mon, Mar 12, 2001 at 09:50:08AM -0500, Steven M. Bellovin wrote:
Any details? Any incidents using the exploit guardent has identified?
Not to my knowledge...
The folks at Guardent are talking to CERT and to various vendors about the problem before releasing any details.
The 50.000 foot view: There is a further vulnerability in TCP/IP if you can determine the Initial Sequence Number without actually starting a connection. By exploiting your knowledge of the remote host, a telephone modem user can cause webservers to become massive Denial of Service agents, targeting arbitrary targets. Lots of consumer editions of windows come with easily guessable sequence numbers. I actually tried this and it works, but because I was busy with another project (see .sig), I neglected to share it with the world. However, as Guardent says, it is pretty hard to actually do this. Once the exploit is out, it becomes far easier. It took me 2 days of non-stop coding to get it to work. I'm not sure if this is what Guardent means, but I suspect it is. In more detail: A regular HTTP TCP/IP session looks (modulo some details - read Stevens TCP/IP Illustrated for full explanation) like this: Browser computer Server Computer ---------------------------------------------------- SYN, my sequence number is 25 SYN|ACK, my number is 14 [25] GET /bigfile [14] ACK up til 25 [14] 500 bytes of bigfile [514] 500 more bytes [38] ACK up til 514 [1014] 1000 more bytes [2014] 1000 more bytes [38] ACK up til 2014 [3014] 1000 more bytes [4014] 1000 more bytes [38] ACK up til 4014 ******************************************************************************** Now the important bit: the Server Computer sends at the rate that properly received data is ACKnowlegded. ******************************************************************************** Normally, the only thing that a receiving computer can achieve is send ACKs more rapidly then data is actually coming in, and thereby DoS itself. Not very interesting. Now, if you are able to guess the number '14' above, and you know the packet sizes a server will produce, you can invent ACKs from arbitrary source IP addresses. The Server Computer doesn't notice anything interesting, and blasts out data at speeds possibly exceeding its interface or line speed. ******************************************************************************** If you can create fake ACKnowlegdements, you determine the amount of data generated. If you fake them rapidly, this is called Denial of Service. ******************************************************************************** The dangerous bit is that you can now DoS others. Just produce ACK packets that look like they were produced by your desired target, and blast away. If media people want to have a fuller understanding, please contact me. I am more then willing to explain at length if it helps prevent incorrect reporting. Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Services Trilab The Technology People 'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
participants (4)
-
bert hubert
-
Rafi Sadowsky
-
Scott Francis
-
Steven M. Bellovin