Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: the next generation of nuke.csmbresearch.att.com
Thu, 26 Jan 95 15:30:13 EST
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Mark: "Re: IP Spoofing and Vendors' attitude"
- Previous message: Timothy Newsham: "Re: Chances of guessing?"
- Maybe in reply to: Scott D. Yelich: "the next generation of nuke.c"
- Next in thread: Dorian Deane: "Re: the next generation of nuke.c"
More of a denial of service attack, but with the current discussion on bugtraq/firewalls regarding sequence number guessing, I thought I'd pu t forward a method on killing an established TCP connection, besides the (mis)usage of ICMP unreachable messages. It would also appear, that although this attack is more difficult to launch, it would also be mor e difficult to prevent. Since it's possible to guess sequence numbers of the packets in a TCP connection, it seems it would be possible to then send a fake FIN mess age to our target, followed directly by an ACK to acknowledge the closing of the connection. If you wanted to kill a connection, all you would have to do is flood one of the ends with FIN/ACK packets until you get the sequence numbers correct. - Oliver Well, RST is more definitive than FIN, somehow... That said, the attack you cite is harder to carry out than you think. It's easy to guess the next starting sequence number for a connection; it's much harder to know what the sequence number status is of an existing connection unless you're sniffing the wire. You'd also have to know what the client's port number was; again, without sniffing the wire, that's hard to come by, unless one of the two sites has an overly-cooperative SNMP server.