Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
From: Shachar Shemesh (fulldisc_at_sun.consumer.org.il)
To: Michal Zalewski <firstname.lastname@example.org> Date: Thu, 11 Dec 2003 10:56:01 +0200
Michal Zalewski wrote:
>Consider the following: Bob sends a TCP/IP ACK packet to Alice, with a
>data payload and within an established session, of which session the
>attacker is aware (attacker-induced or server to server traffic, perhaps).
>Bob's packet exceeds the MTU somewhere en route (be it on some WAN
>interface, or on a local PPPoA, PPPoE or VPN interface), a situation not
>quite unheard of; the IP packet gets fragmented in order to be delivered
This attack is timing sensitive, route sensitive, and is highly
unreliable. Those problems aside, however, there is a more fundemental
problem. You need to time each and every fragmented packet you send to
always arrive before or after (depending on receiving machine's IP
stack) the corresponding legit fragment, yet before the entire packet is
assembled. All of that, without having any knowledge about either side
of the communication parties.
How do you get the legit connection you are trying to overload to
fragment at the place you mention. Most TCP/IP connections employ PMTU
discovery, and then split the stream at layer 4, rather then perform
Layer 3 assembly. As a result, fragments in TCP/IP communication is
extremely rare. The probes I know of show that major sites hardly ever
see any fragments at all, outside of deliberate attacks.
Even if you found a victim that does not employ PMTU, fragmentation is
still a rare occurance.
Even if you found a victim that does not employ PMTU, connecting to a
machine where the route requires fragmentation, that splitting is
performed by the routers en-route. Most routers split the packet with
the large chunk being at the begining. Assuming MTU can never go below
~300 bytes (a conservative number - most will say 512), this means the
entire IP and TCP headers are in the same fragment, as well as quite a
chunk of the actual TCP payload.
All in all, an interesting attack vector, but I'm not sure how practical
-- Shachar Shemesh Open Source integration & consulting Home page & resume - http://www.shemesh.biz/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html