[792] in bugtraq
Re: the next generation of nuke.c
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Thu Jan 26 18:03:52 1995
From: smb@research.att.com
To: Oliver Friedrichs <iceman@MBnet.MB.CA>
Cc: bugtraq@fc.net
Date: Thu, 26 Jan 95 15:30:13 EST
More of a denial of service attack, but with the current discussion on
bugtraq/firewalls regarding sequence number guessing, I thought I'd pu
t
forward a method on killing an established TCP connection, besides the
(mis)usage of ICMP unreachable messages. It would also appear, that
although this attack is more difficult to launch, it would also be mor
e
difficult to prevent.
Since it's possible to guess sequence numbers of the packets in a TCP
connection, it seems it would be possible to then send a fake FIN mess
age to
our target, followed directly by an ACK to acknowledge the closing
of the connection.
If you wanted to kill a connection, all you would have to do is flood
one
of the ends with FIN/ACK packets until you get the sequence numbers
correct.
- Oliver
Well, RST is more definitive than FIN, somehow...
That said, the attack you cite is harder to carry out than you think.
It's easy to guess the next starting sequence number for a connection;
it's much harder to know what the sequence number status is of an existing
connection unless you're sniffing the wire. You'd also have to know
what the client's port number was; again, without sniffing the wire, that's
hard to come by, unless one of the two sites has an overly-cooperative
SNMP server.
