tcp,guardent,bellovin

• Previous message (by thread): tcp,guardent,bellovin
• Next message (by thread): tcp,guardent,bellovin
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[also posted to Bugtraq separately]

On Mon, Mar 12, 2001 at 09:50:08AM -0500, Steven M. Bellovin wrote:

> >Any details? Any incidents using the exploit guardent has
> >identified?
> 
> Not to my knowledge...
> 
> The folks at Guardent are talking to CERT and to various vendors about 
> the problem before releasing any details.

The 50.000 foot view:
There is a further vulnerability in TCP/IP if you can determine the Initial
Sequence Number without actually starting a connection. By exploiting your
knowledge of the remote host, a telephone modem user can cause webservers to
become massive Denial of Service agents, targeting arbitrary targets. Lots
of consumer editions of windows come with easily guessable sequence numbers.

I actually tried this and it works, but because I was busy with another
project (see .sig), I neglected to share it with the world. However, as
Guardent says, it is pretty hard to actually do this. Once the exploit is
out, it becomes far easier. It took me 2 days of non-stop coding to get it to
work. 

I'm not sure if this is what Guardent means, but I suspect it is.

In more detail:
A regular HTTP TCP/IP session looks (modulo some details - read Stevens
TCP/IP Illustrated for full explanation) like this:

Browser computer                     Server Computer
----------------------------------------------------
SYN, my sequence number is 25
                                     SYN|ACK, my number is 14
[25] GET /bigfile
                                     [14]  ACK up til 25
                                     [14]  500 bytes of bigfile
                                     [514] 500 more bytes
[38] ACK up til 514
                                     [1014] 1000 more bytes     
                                     [2014] 1000 more bytes
[38] ACK up til 2014
                                     [3014] 1000 more bytes
                                     [4014] 1000 more bytes
[38] ACK up til 4014

********************************************************************************
   Now the important bit: the Server Computer sends at the rate that properly
   received data is ACKnowlegded.
********************************************************************************

Normally, the only thing that a receiving computer can achieve is send ACKs
more rapidly then data is actually coming in, and thereby DoS itself. Not
very interesting.

Now, if you are able to guess the number '14' above, and you know the packet
sizes a server will produce, you can invent ACKs from arbitrary source IP
addresses. The Server Computer doesn't notice anything interesting, and
blasts out data at speeds possibly exceeding its interface or line speed.

********************************************************************************
   If you can create fake ACKnowlegdements, you determine the amount of data
   generated. If you fake them rapidly, this is called Denial of Service.
********************************************************************************

The dangerous bit is that you can now DoS others. Just produce ACK packets
that look like they were produced by your desired target, and blast away.

If media people want to have a fuller understanding, please contact me. I am
more then willing to explain at length if it helps prevent incorrect
reporting.

Regards,

bert hubert

-- 
http://www.PowerDNS.com      Versatile DNS Services  
Trilab                       The Technology People   
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet

• Previous message (by thread): tcp,guardent,bellovin
• Next message (by thread): tcp,guardent,bellovin
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]