Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

From: Shachar Shemesh (fulldisc_at_sun.consumer.org.il)
Date: 12/11/03

  • Next message: Michal Zalewski: "Re: [Full-Disclosure] A new TCP/IP blind data injection technique?"
    To: Michal Zalewski <lcamtuf@ghettot.org>
    Date: Thu, 11 Dec 2003 10:56:01 +0200
    
    

    Michal Zalewski wrote:

    >Consider the following: Bob sends a TCP/IP ACK packet to Alice, with a
    >data payload and within an established session, of which session the
    >attacker is aware (attacker-induced or server to server traffic, perhaps).
    >Bob's packet exceeds the MTU somewhere en route (be it on some WAN
    >interface, or on a local PPPoA, PPPoE or VPN interface), a situation not
    >quite unheard of; the IP packet gets fragmented in order to be delivered
    >successfully.
    >
    >
    This attack is timing sensitive, route sensitive, and is highly
    unreliable. Those problems aside, however, there is a more fundemental
    problem. You need to time each and every fragmented packet you send to
    always arrive before or after (depending on receiving machine's IP
    stack) the corresponding legit fragment, yet before the entire packet is
    assembled. All of that, without having any knowledge about either side
    of the communication parties.

    How do you get the legit connection you are trying to overload to
    fragment at the place you mention. Most TCP/IP connections employ PMTU
    discovery, and then split the stream at layer 4, rather then perform
    Layer 3 assembly. As a result, fragments in TCP/IP communication is
    extremely rare. The probes I know of show that major sites hardly ever
    see any fragments at all, outside of deliberate attacks.

    Even if you found a victim that does not employ PMTU, fragmentation is
    still a rare occurance.

    Even if you found a victim that does not employ PMTU, connecting to a
    machine where the route requires fragmentation, that splitting is
    performed by the routers en-route. Most routers split the packet with
    the large chunk being at the begining. Assuming MTU can never go below
    ~300 bytes (a conservative number - most will say 512), this means the
    entire IP and TCP headers are in the same fragment, as well as quite a
    chunk of the actual TCP payload.

    All in all, an interesting attack vector, but I'm not sure how practical
    it is.

                 Shachar

    -- 
    Shachar Shemesh
    Open Source integration & consulting
    Home page & resume - http://www.shemesh.biz/
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Michal Zalewski: "Re: [Full-Disclosure] A new TCP/IP blind data injection technique?"

    Relevant Pages

    • [Full-Disclosure] A new TCP/IP blind data injection technique?
      ... Blind spoofing, hijacking and data insertion into TCP/IP sessions, ... Closing all the attack venues by deploying "proper" cryptography is not ... Bob's packet exceeds the MTU somewhere en route (be it on some WAN ... The other fragment of Bob's packet carry the remaining section ...
      (Full-Disclosure)
    • A new TCP/IP blind data injection technique?
      ... Blind spoofing, hijacking and data insertion into TCP/IP sessions, ... Closing all the attack venues by deploying "proper" cryptography is not ... Bob's packet exceeds the MTU somewhere en route (be it on some WAN ... The other fragment of Bob's packet carry the remaining section ...
      (Bugtraq)
    • Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
      ... For example the BorderWare Firewall will not accept fragmented packets, ... Then pass or drop the packet. ... > should be fairly easy to turn this into a practical attack. ... The other fragment of Bob's packet carry the ...
      (Full-Disclosure)
    • [NEWS] GnuPG and GnuPG Clients Unsigned Data Injection Vulnerability
      ... GnuPG and GnuPG Clients Unsigned Data Injection Vulnerability ... directly using GnuPG from the command line may be fooled by this attack. ... A packet is a chunk of data that has a tag specifying ... Symmetrical Encryption: ...
      (Securiteam)
    • Re: Fwd: [IPv4 fragmentation --> The Rose Attack]
      ... Which limits such an attack to 800 packets overall and 16 fragments ... The first fragment is the ... > dropped at high packet rates if there aren't enough buffers allocated. ...
      (freebsd-net)