[32825] in bugtraq
Re: A new TCP/IP blind data injection technique?
daemon@ATHENA.MIT.EDU (Barney Wolff)
Fri Dec 12 16:43:44 2003
Date: Fri, 12 Dec 2003 12:14:44 -0500
From: Barney Wolff <barney@databus.com>
To: Michal Zalewski <lcamtuf@ghettot.org>
Cc: bugtraq@securityfocus.com, full-disclosure@netsys.com
Message-ID: <20031212171444.GA31845@pit.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031212011652.T66813@dekadens.coredump.cx>
On Fri, Dec 12, 2003 at 01:41:13AM +0100, Michal Zalewski wrote:
>
> B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
> seems that there is a notable (albeit unidentified at the moment)
> population of systems that do consider it to be optional when set to
> zero, or do not verify it at all. I have conducted a quick check
> as follows:
>
> - I have acquired a list of 300 most recent unique IPs that
> had established a connection to a popular web server.
> - I have sent a SYN packet with a correct TCP checksum to all
> systems on the list, receiving 170 RST replies.
> - I have sent a SYN packet with zero TCP checksum to all systems on
> the list, receiving 12 RST replies (7% of the pool).
>
> As such, there seems to be a reason for some concern, even with
> random IP IDs, since it only takes one RFC-ignorant party for the
> attack against a session to succeed.
I suspect that in these cases the RSTs may be coming from firewalls rather
than end-hosts. It would be more impressive and surprising if one ever
got a SYN-ACK in response.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
