Date: Sat, 4 Apr 1998 19:21:58 +0600 (ESS) From: Vasim Valejev <vasim@diaspro.com> To: freebsd-security@FreeBSD.ORG Subject: RFC-1644 Message-ID: <Pine.BSF.3.96.980404191508.5058A-100000@uddias.diaspro.com>
next in thread | raw e-mail | index | archive | help
Hi ! Transactions-TCP (RFC-1644) in FreeBSD (and other systems) can cause problems for security : 1. New variant of SYN-flood attack . Someone can send many T/TCP packets with fake originate address (any unreachable address) and overload (possible cause Denial-Of-Service) victim's server (for example - many T/TCP requests to telnet/ftp/http/etc daemons) . 2. Attack to r*-services (rshd/rlogind without kerberos-authentication) . Hacker can send T/TCP requests with originate address from /etc/hosts.equiv or .rhosts files . In some cases (computer with address from hacker's request can't send TCP-RST packet in time) it possible run commands on attacked target . My experiments shows what attacker just need 10-50 ms delay between victim sending SYN-ACK packet and receiving RST packet from trusted computer (it depends from algorithm rshd/rlogind , place DNS-server with reverse zone , etc) . This attack can be used on other tcp-services with authentication based on ip-address . RFC-1644 must die :( . My english too (*sigh*) . Just do 'sysctl -w net.inet.tcp.rfc1644=0' and forget about it :) . Vasim V. (2:5011/27 http://members.tripod.com/~Vasim VV86-RIPE) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980404191508.5058A-100000>