Re: TCP RST attack

From: Dragos Ruiu (dr_at_kyx.net)
Date: 04/20/04

  • Next message: Matthew Dillon: "Re: TCP RST attack"
    To: Mike Tancsa <mike@sentex.net>, des@des.no (Dag-Erling Smørgrav )
    Date: Tue, 20 Apr 2004 13:32:40 -0700
    
    

    On April 20, 2004 11:43 am, Mike Tancsa wrote:
    > At 02:26 PM 20/04/2004, Dag-Erling Smørgrav wrote:
    > >Dragos Ruiu <dr@kyx.net> writes:
    > > > On April 20, 2004 10:44 am, Dag-Erling Smørgrav wrote:
    > > > > The advisory grossly exaggerates the impact and severity of this
    > > > > fea^H^H^Hbug. The attack is only practical if you already know the
    > > > > details of the TCP connection you are trying to attack, or are in a
    > > > > position to sniff it.
    > > >
    > > > This is not true. The attack does not require sniffing.
    > >
    > >You need to know the source and destination IP and port. In most
    > >cases, this means sniffing. BGP is easier because the destination
    > >port is always 179 and the source and destination IPs are recorded in
    > >the whois database, but you still need to know the source port.
    >
    > While true, you do need the source port, how long will it take to
    > programmatically go through the possible source ports in an attack ? That
    > only adds 2^16-1024 to blast through

    Also keep in mind ports are predictable to varying degrees depending on
    the vendor or OS, which further reduces the brute force space you have to
    go though without sniffing. That's what this thing boils down to imho - the
    space you have to blast through, the time you have to do it in, and
    the bandwidth/rate available to do it. And there are competing factors,
    and questions about what are the real world values. I'm still waiting
    on final answers...

    cheers,
    --dr

    -- 
    Top security experts.  Cutting edge tools, techniques and information.
    Vancouver, Canada	April 21-23 2004  http://cansecwest.com
    pgpkey http://dragos.com/ kyxpgp
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Matthew Dillon: "Re: TCP RST attack"

    Relevant Pages

    • Re: Problem sending E-mail to 1 server
      ... If I try the same thing (telnet to port ... Source IP: 64.208.166.12, Destination IP: 66.133.129.70 ... PROTOCOL: ICMP ... Header checksum: 0xEE82 ...
      (microsoft.public.exchange.admin)
    • Re: Why Is Google Connecting to My Mac?
      ... destination: ssl-google-analytics.l.google.com ... wants to connect to ssl-google-analytics.l.google.com on TCP port ...
      (comp.sys.mac.misc)
    • LAG - Which algorithm?
      ... I am new at using LAG and would like your opinion on which algorithm ... Destination IP Address ... the port is selected based on a hash of the ... destination IP address uses the same port in the link aggregation ...
      (Tru64-UNIX-Managers)
    • Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
      ... And checked the result.txt for what file/service has been accessing the network from or to port TCP 3389 ... Source and destination are relative to which packets you're looking at. ... Check on your internet router whether this 192.168.2.196 being NATed ... Desktop Protocol) traffics from internet to this PC (which most likely ...
      (Security-Basics)
    • Re: ipv6 connection hash function wanted ...
      ... the hash function for dynamic rules must be commutative ... You should xor source and destination as a whole, ... If the attacker can ... guess our port number, he can set his port number in a ...
      (freebsd-hackers)