Re: Port Scanning.

robert_at_dyadsecurity.com
Date: 12/22/04

  • Next message: Curt Purdy: "RE: [in] VPN protocols"
    Date: Wed, 22 Dec 2004 12:47:12 -0800
    To: DWreck <dwr3ckmailbox-pentest@yahoo.com>
    
    

    robert@dyadsecurity.com(robert@dyadsecurity.com)@Wed, Dec 22, 2004 at
    > The only thing that isn't currently easy to do is TCP full connection
    > payload injection from spoofed IP's. We're working on a way to do
    > that though :).

    I know it's bad form to follow up on your own post... What I was
    talking about in the last email was a way to actually introduce the TCP
    3-way handshake (connection) payload stimulous to the remote IP from a
    spoofed source. This is currently difficult on modern stacks.

    However, many IPS/IDS's don't keep track of state, and you can actually
    get the PSH/ACK TCP payload to trigger many IPS's from spoofed sources
    now. By skipping the 3-way-handshake, the remote IP will obviously not
    treat it as part of an established connection, but if IPS trigger DoS
    was your goal, who cares.

    Robert

    -- 
    Robert E. Lee
    CTO, Dyad Security, Inc.
    W - http://www.dyadsecurity.com
    E - robert@dyadsecurity.com
    M - (949) 394-2033
    

  • Next message: Curt Purdy: "RE: [in] VPN protocols"

    Relevant Pages

    • [Full-disclosure] Cisco PIX TCP Connection Prevention
      ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ...
      (Full-Disclosure)
    • [Full-disclosure] Cisco PIX TCP Connection Prevention
      ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ...
      (Full-Disclosure)
    • [NEWS] Cisco PIX TCP Connection DoS
      ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ...
      (Securiteam)
    • FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn
      ... TCP network connections use an initial sequence number as part of the ... incoming connection is being established, ... Systems running insecure protocols which blindly trust a TCP ... requiring other authentication of the originator are vulnerable to ...
      (FreeBSD-Security)
    • Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
      ... If we expire a connection too early, ... The way we solved this at NFR is to never expire idle TCP states. ... For example the timeout for the SYN|ACK may have been ...
      (Focus-IDS)