[69845] in North American Network Operators' Group
Re: Massive stupidity (Was: Re: TCP vulnerability)
daemon@ATHENA.MIT.EDU (Mike Tancsa)
Tue Apr 20 21:22:34 2004
Date: Tue, 20 Apr 2004 21:23:46 -0400
To: Richard A Steenbergen <ras@e-gerbil.net>
From: Mike Tancsa <mike@sentex.net>
Cc: nanog@merit.edu
In-Reply-To: <20040420210916.GR30977@overlord.e-gerbil.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 05:09 PM 20/04/2004, Richard A Steenbergen wrote:
>party to know which side won the collision handling. Therefore you need
>262144 packets * 3976 ephemeral ports (assuming both sides are jnpr, again
>worst case) * 2 (to figure out who was the connecter and who was the
>accepter) = 2084569088 packets to exhaustively search all space on this
>one single Juniper to Juniper session. Now, lets just for the sake of
>argument say that the router is capable of actively processing 10,000
>packets/sec of rst (a fairly exagerated number) and still have this be
>considered a tcp attack instead of a straight DoS against the routing
>engine. This will still take 208456 seconds, or 57.9 hours.
<snip>
I dont understand why the large differences in claims
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
says
Modern operating
systems normally default the RCV.WND to about 32,768 bytes. This
means that a blind attacker need only guess 65,535 RST segments
(2^^32/(RCV.WND*2)) in order to reset a connection. At DSL speeds
this means that most connections (assuming the attacker can
accurately guess both ports) can be reset in under 200 seconds
(usually far less). With the rise of broadband availability and
increasing available bandwidth, many Operating Systems have raised
their default RCV.WND to as much as 64k, thus making these attacks
even easier.
Also, with the various 'bots' at peoples disposal, why the assumption the
attack would not be distributed.
---Mike
