Date: Tue, 20 Apr 2004 13:43:44 -0700 From: Dragos Ruiu <dr@kyx.net> To: Charles Swiger <cswiger@mac.com>, freebsd-security@freebsd.org Subject: Re: TCP RST attack Message-ID: <200404201343.44342.dr@kyx.net> In-Reply-To: <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <xzphdve35oa.fsf@dwp.des.no> <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On April 20, 2004 01:28 pm, Charles Swiger wrote: > My take on this is pretty close to yours: this isn't a new > vulnerability and it's difficult to perform this type of attack under > most circumstances without being able to sniff the traffic going by. > (Basicly, sending a RST is a simple form of data injection via the > classic man-in-the-middle attack. ACKs and RSTs count as data, too. Definitely not a new vulnerability. Just a newer analysis with more factors accounted for. > Using a tiny window (say ethernet MTU or smaller) would greatly > increase the amount of work an attacker has to do to create a valid RST > to zap an open connection, admittedly at the cost of adding a lot of > latency to such TCP connections. Hmm, how about a mechanism that would > let one control the maximum TCP window size the system will permit on a > per-host or per-network-block basis? But I'm told most providers crank UP their window sizes to improve BGP restarts... So reducing the windows may negatively affect other things. (Need to be careful that the cure isn't worse than the disease.) cheers, --dr -- Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404201343.44342.dr>