tcp,guardent,bellovin

bert hubert ahu at ds9a.nl
Mon Mar 12 23:35:08 UTC 2001


Richard,

I do not claim that this trick will bring down the world. But it is yet
another argument for proper ISN-generation.

On Mon, Mar 12, 2001 at 06:09:32PM -0500, Richard A. Steenbergen wrote:

> And since the "victim" will have the current sequence number for inbound
> data, what would keep it from (correctly) sending an RST and tearing down
> this false connection?

The victim need not be an actual running server. There are lots of IP
addresses that you can send data to at will, without receiving RST or ICMP
packets deterring you. You still take down their connection though..

> Also, even given the assumption that Windows is easily ISN spoofable
> (which I would certainly hope is not the case, I thought everyone learned
> that lesson years ago), I don't see many consumer editions of windows

I recall bugtraq postings in which Microsoft stated, or was reported to have
stated, that they release patches for server editions of their OS to have
proper ISN generation, but wouldn't bother for consumer editions.

> being readily available to hackers, running webservers with large files on
> fast uplinks.

Well, when I was at university, this certainly was the case. Lots of
Windows95 machines running the 'Microsoft Personal Webserver'. 

> I think any kind of useful ISN-guessing based DoS would require sniffing
> access to the server in question. It might be possible to "speed up" the
> transmission of an already established connection inproperly for a short
> time, but this would quickly fall over and die. It might also be possible

Have you tried this? I tested with the famously slow 'DEMOS' modems as used
by Casema Internet. These connect to your computer using a serial cable. Any
single cable segment has at most 156kbit/s available, for on average 25
customers. Yes.

Yet I was able to spoof up to half a megabit if traffic without trying
really hard.

> BTW If you wanted to force the packets to a known size, this could easily
> be done with a small MSS option. Infact its probably far deadlier to
> establish a real connection to a big webserver with a tiny MSS and watch
> it send tons of small packets. To my knowledge there is no (reasonable)  
> minimium size limit for a requested MSS?

Actually, I spend a lot of time today for a customer debugging problems with
86 byte MSS packets in combination with transparent proxying. It doesn't
work that well, not yet sure why.

Regards,

bert hubert

-- 
http://www.PowerDNS.com      Versatile DNS Services  
Trilab                       The Technology People   
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet




More information about the NANOG mailing list