Date: Tue, 20 Apr 2004 19:44:37 +0200 From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack Message-ID: <xzphdve35oa.fsf@dwp.des.no> In-Reply-To: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> (Mike Tancsa's message of "Tue, 20 Apr 2004 12:57:25 -0400") References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa <mike@sentex.net> writes: > http://www.uniras.gov.uk/vuls/2004/236929/index.htm The advisory grossly exaggerates the impact and severity of this fea^H^H^Hbug. The attack is only practical if you already know the details of the TCP connection you are trying to attack, or are in a position to sniff it. The fact that you can attack a TCP connection which passes through a network you have access to sniff should not be a surprise to anyone; the remaining cases require spoofing of a type which egress filtering would prevent, if only people would bother implementing it. I don't believe BGP sessions are as exposed as the advisory claims they are, either. The possibility of insertion attacks (which are quite hard) was predicted six years ago, when RFC 2385 (Protection of BGP Sessions via the TCP MD5 Signature Option) was written. RST attacks may cause route flapping, but that can be avoided with a short hysteresis (though this may be impractical for backbone routers) Insertion attacks against SSL connections are practically impossible, so the only risk there is an RST attack, which most browsers should handle gracefully. DNS connections (even zone transfers) are so short-lived that you would have to be very, very lucky to pull off an insertion or RST attack against. The most likely attack scenario to come out of this is probably gamers and IRC weenies kicking eachother off servers (the server's IP address and port number are known, the servers often reveal client IP addresses to other clients, and the client often uses a fixed source port, or one from a relatively small range) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzphdve35oa.fsf>