Date: Fri, 21 Nov 1997 09:11:25 -0800 (PST) From: Jim Shankland <jas@flyingfox.com> To: Don.Lewis@tsc.tdk.com Cc: security@freebsd.org Subject: Re: new TCP/IP bug in win95 (fwd) Message-ID: <199711211711.JAA04036@biggusdiskus.flyingfox.com>
next in thread | raw e-mail | index | archive | help
Hmm, I'm not sure I agree that your fix is optimal for this bug, Don. Seems like you're relying on the ACK field being out of range to drop the packet that the victim machine itself generated. Apart from generating an extra packet (the bogus response that the victim sends in response to the original, forged SYN), it also seems that if the attacker can guess the right sequence number, it can circumvent your fix. Granted, that's much harder -- and more platform-variable -- than the exploit that's been posted. The essence of the attack lies in engineering a TCP connection in which (src-ip, src-port) is equal to (dst-ip, dst-port); the fact that the ACK value in the second packet is out of range seems like a sort of side effect. I can't think of any case in which it would be legal or desirable to have a TCP connection with (src-ip, src-port) equal to (dst-ip, dst-port); so why not just reject such a connection attempt out of hand in the TCPS_LISTEN state? Jim Shankland Flying Fox Computer Systems, Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711211711.JAA04036>