Date: Wed, 2 May 2001 18:33:49 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Tim Newsham <newsham@lava.net> Cc: security@freebsd.org Subject: Re: (fwd) FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn (fwd) Message-ID: <20010502183349.B72379@xor.obsecurity.org> In-Reply-To: <m14v7g3-000ofhC@malasada.lava.net>; from newsham@lava.net on Wed, May 02, 2001 at 03:13:07PM -1000 References: <m14v7g3-000ofhC@malasada.lava.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--NDin8bjvE/0mNLFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 02, 2001 at 03:13:07PM -1000, Tim Newsham wrote: >=20 > hmm.. I think you may have gotten the attack description > and conditions wrong. >=20 > Attacks are performed against live, already authenticated > connections. As such, rsh and rlogin are no more > susceptible to attack than other unencrypted sessions. > All sessions, reguardless of use of encryption, are > susceptible to being shut down prematurely. Even TCP connections protected with IPSEC AH? Knowing the TCP ISN (with some confidence level) allows you to do (at least) two classes of attack: 1) Reset existing connections, as was focused on in your paper (you need to know roughly how much data has been through the connection too). 2) Spoof new connections. > Filtering out priveledged ports will have no impact > on this vulnerability. It does protect against both 1) and 2) in the case where connections are between internal machines. Obviously there are limits to what you can do with ingress filtering, though. This is obviously a complex issue with many implications, and few good workarounds. Kris --NDin8bjvE/0mNLFQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE68LV8Wry0BWjoQKURAhHbAJ9/MYXDQv9VSE6HGl2Rbr2Ka/3O+wCdFR76 JTpfLXh3Ccuyje9HyPu+JUA= =bWr4 -----END PGP SIGNATURE----- --NDin8bjvE/0mNLFQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010502183349.B72379>