From owner-freebsd-security  Sat Apr  4 05:22:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA15054
          for freebsd-security-outgoing; Sat, 4 Apr 1998 05:22:22 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from uddias.diaspro.com (uddias.diaspro.com [194.84.211.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA15044
          for <freebsd-security@freebsd.org>; Sat, 4 Apr 1998 05:22:14 -0800 (PST)
          (envelope-from vasim@diaspro.com)
Received: from localhost (localhost.diaspro.com [127.0.0.1])
	by uddias.diaspro.com (8.8.8/8.8.8) with SMTP id TAA05673
	for <freebsd-security@freebsd.org>; Sat, 4 Apr 1998 19:21:58 +0600 (ESS)
	(envelope-from vasim@diaspro.com)
Date: Sat, 4 Apr 1998 19:21:58 +0600 (ESS)
From: Vasim Valejev <vasim@diaspro.com>
To: freebsd-security@FreeBSD.ORG
Subject: RFC-1644
Message-ID: <Pine.BSF.3.96.980404191508.5058A-100000@uddias.diaspro.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

Hi !

Transactions-TCP (RFC-1644) in FreeBSD (and other systems) can cause
 problems for security :

1. New variant of SYN-flood attack . Someone can send many T/TCP
 packets with fake originate address (any unreachable address) and
 overload (possible cause Denial-Of-Service) victim's server (for example -
 many T/TCP requests to telnet/ftp/http/etc daemons) .

2. Attack to r*-services (rshd/rlogind without kerberos-authentication) .
 Hacker can send T/TCP requests with originate address from /etc/hosts.equiv or
 .rhosts files . In some cases (computer with address from hacker's request
 can't send TCP-RST packet in time) it possible run commands on attacked
 target . My experiments shows what attacker just need 10-50 ms delay between
 victim sending SYN-ACK packet and receiving RST packet from trusted computer
 (it depends from algorithm rshd/rlogind , place DNS-server with reverse zone ,
 etc) . This attack can be used on other tcp-services with authentication
 based on ip-address .

RFC-1644 must die :( . My english too (*sigh*) . Just do
 'sysctl -w net.inet.tcp.rfc1644=0' and forget about it :) .

Vasim V. (2:5011/27 http://members.tripod.com/~Vasim VV86-RIPE)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message