Date: Tue, 20 Apr 2004 13:32:40 -0700 From: Dragos Ruiu <dr@kyx.net> To: Mike Tancsa <mike@sentex.net>, des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= ) Cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack Message-ID: <200404201332.40827.dr@kyx.net> In-Reply-To: <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <xzp65buh5fa.fsf@dwp.des.no> <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2>
next in thread | previous in thread | raw e-mail | index | archive | help
On April 20, 2004 11:43 am, Mike Tancsa wrote: > At 02:26 PM 20/04/2004, Dag-Erling Smørgrav wrote: > >Dragos Ruiu <dr@kyx.net> writes: > > > On April 20, 2004 10:44 am, Dag-Erling Smørgrav wrote: > > > > The advisory grossly exaggerates the impact and severity of this > > > > fea^H^H^Hbug. The attack is only practical if you already know the > > > > details of the TCP connection you are trying to attack, or are in a > > > > position to sniff it. > > > > > > This is not true. The attack does not require sniffing. > > > >You need to know the source and destination IP and port. In most > >cases, this means sniffing. BGP is easier because the destination > >port is always 179 and the source and destination IPs are recorded in > >the whois database, but you still need to know the source port. > > While true, you do need the source port, how long will it take to > programmatically go through the possible source ports in an attack ? That > only adds 2^16-1024 to blast through Also keep in mind ports are predictable to varying degrees depending on the vendor or OS, which further reduces the brute force space you have to go though without sniffing. That's what this thing boils down to imho - the space you have to blast through, the time you have to do it in, and the bandwidth/rate available to do it. And there are competing factors, and questions about what are the real world values. I'm still waiting on final answers... cheers, --dr -- Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404201332.40827.dr>