[REVS] ICMP Attacks Against TCP

From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/05

  • Next message: SecuriTeam: "[UNIX] HP Ignite-UX Information Disclosure" 
    To: list@securiteam.com
Date: 18 Aug 2005 16:57:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ICMP Attacks Against TCP
    ------------------------------------------------------------------------

    SUMMARY

    It is possible to attack TCP connections by forging ICMP packets and
    sending them to the server. The whitepaper linked below discusses the
    problem and means to solve it, as well as attack tools to exploit the
    vulnerabilities.

    DETAILS

    Introduction:
    Recently, awareness has been raised about several threats against the TCP
    protocol, which include blind connection-reset attacks. These attacks are
    based on sending forged TCP segments to any of the TCP endpoints,
    requiring the attacker to be able to guess the four-tuple that identifies
    the connection to be attacked.

    While these attacks were known by the research community, they were
    considered to be unfeasible. However, increases in bandwidth availability,
    and the use of larger TCP windows have made these attacks feasible.
    Several general solutions have been proposed to either eliminate or
    minimize the impact of these attacks. For protecting BGP sessions,
    specifically, a counter-measure had already been documented in, which
    defines a new TCP option that allows a sending TCP to include a
    MD5signature in each transmitted segment.

    All these counter-measures address attacks that require an attacker to
    send forged TCP segments to the attacked host. However, there is still a
    possibility for performing a number of attacks against the TCP protocol,
    by means of ICMP. These attacks include, among others, blind
    connection-reset attacks.

    This document aims to raise awareness of the use of ICMP to perform a
    number of attacks against TCP, and proposes several counter-measures that
    can eliminate or minimize the impact of these attacks.

    Attack Tools:
    A set of tools for this family of vulnerabilities was release, for more
    information see: <http://www.securiteam.com/tools/5ZP0S1FGAA.html> ICMP
    Attack Tools

    Additional Notes:
    The attacks are blind, so the attacker does not need to be a "man in the
    middle" to perform then. The typical number of packets required to perform
    any of these attacks is about 16000 (in many cases, the attacker requires
    fewer packets). This means that even when a 128kbps link, it will take the
    attacker much less than a minute to perform them.

    What are the affected applications?
    Well, the first one that may come to your mind is BGP, but there are
    others. For example:
    * Proxies (either transparent, or not)

    Let's say we want to prevent users from accessing the web site
    192.168.0.1. If the web proxy address is 10.0.0.1, we can attack it and
    run any of the tools like: icmp-xxxx -c 10.0.0.1:1024-65535 -s
    192.168.0.1:80 -t server
    With this attack, all the clients that are using the proxy 10.0.0.1 cannot
    access the webserver at 192.168.0.1

    * Mail
    Think about two major e-mail providers. Let's say one is 10.0.0.1, and the
    other one is 192.168.0.1. Let's DoS the mail transfers from 10.0.0.1 to
    192.168.0.1: icmp-xxxx -c 10.0.0.1:1024-65535 -s 192.168.0.1:25 -t client

    Let's also DoS the mail transfers from 192.168.0.1 to 10.0.0.1: icmp-xxxx
    -c 192.168.0.1:1024-65535 -s 10.0.0.1:25 -t client

    * NATs
    NATs will usually make all the hosts in your network use one (or a few) IP
    address(es) for their TCP connections. By performing the attack against
    the IP address of the NAT box trying all the possible port number
    combinations, you would be attacking the TCP connections of all the
    clients behind the NAT.
    And the list could continue....

    Even only one attacker with broadband access can perform these attacks, as
    discussed above.
    Not to mention what could happen if someone had the idea to include these
    attack tools in an Internet worm.

    Wasn't this simple? Isn't this something that should be fixed?

    Otherwise, read the draft at
    <http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html>
    http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html , send it to
    your vendor, explain it to them, and ask them to fix their OS.

    Common misconceptions:
    * The TCP MD5 option does not protect you from these attacks
    * IPSec does not protect you from these attacks
    * You cannot filter all ICMP messages
    * Relying on fragmenttion has many potential problems (read Mogul's
    "Fragmentation considered harmful" classic, or the recent Matthis'
    "Fragmentation considered very harmful")
    * The minimum IPv4 MTU is 68. If you ignore ICMP messages that claim MTU's
    lower than X (where X>68), then there's a high chance your TCP connections
    may stall

    The full whitepaper can be found at:
    <http://www.gont.com.ar/drafts/draft-gont-tcpm-icmp-attacks-03.txt>
    Internet-Draft - ICMP attacks against TCP(December 2004)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:fernando@frh.utn.edu.ar>
    Fernando Gont.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] HP Ignite-UX Information Disclosure"

    Relevant Pages