tcp,guardent,bellovin

Richard A. Steenbergen ras at e-gerbil.net
Mon Mar 12 23:09:32 UTC 2001


On Mon, Mar 12, 2001 at 11:25:35PM +0100, bert hubert wrote:
>
> The 50.000 foot view: There is a further vulnerability in TCP/IP if
> you can determine the Initial Sequence Number without actually
> starting a connection. By exploiting your knowledge of the remote
> host, a telephone modem user can cause webservers to become massive
> Denial of Service agents, targeting arbitrary targets. Lots of
> consumer editions of windows come with easily guessable sequence
> numbers.
...
> Now, if you are able to guess the number '14' above, and you know the
> packet sizes a server will produce, you can invent ACKs from arbitrary
> source IP addresses. The Server Computer doesn't notice anything
> interesting, and blasts out data at speeds possibly exceeding its
> interface or line speed.

And since the "victim" will have the current sequence number for inbound
data, what would keep it from (correctly) sending an RST and tearing down
this false connection?

Also, even given the assumption that Windows is easily ISN spoofable
(which I would certainly hope is not the case, I thought everyone learned
that lesson years ago), I don't see many consumer editions of windows
being readily available to hackers, running webservers with large files on
fast uplinks.

I think any kind of useful ISN-guessing based DoS would require sniffing
access to the server in question. It might be possible to "speed up" the
transmission of an already established connection inproperly for a short
time, but this would quickly fall over and die. It might also be possible
to trick the "big server" into sending more data to a host which does not
exist and cannot reply then it can successfully deliver outbound for an
extremely short time, but I think if your "big server" is ISN-guessable
you have bigger problems to worry about. And if the hacker does have
ISN-sniffable access, why would it not be easier for them to launch the
attack directly from their compromised machine on the same network?

BTW If you wanted to force the packets to a known size, this could easily
be done with a small MSS option. Infact its probably far deadlier to
establish a real connection to a big webserver with a tiny MSS and watch
it send tons of small packets. To my knowledge there is no (reasonable)  
minimium size limit for a requested MSS?

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)





More information about the NANOG mailing list