|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
From: Pavel Kankovsky (peak
argo.troja.mff.cuni.cz)
Date: Tue Apr 20 2004 - 16:40:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 20 Apr 2004, Michal Zalewski wrote:
> That said, kudos to Watson: it is definitely good to see this problem
> being finally discussed in broad daylight; I think it would be good to see
> some kludges intended to mitigate it a bit.
Data injection may be thwarted by TCP timestamps (RFC 1323). Timestamps
are 32-bits long and received echoed timestamps must correspond to
(recently) sent timestamps. The exact implementation would probably be
somewhat tricky but I think it might be able to extend the "effective
sequence number" by at least 16 bits.
A spoofed "timestamp-less" SYN or SYN-ACK packet during the initial 3-way
handshake might prevent the use of TCP timestamps but an attacker would
have to guess full 32 bits of an ISN (or of two ISNs in the SYN-ACK case).
Unfortunately timestamps won't help against spoofed RST packets because
existing TCP implementations are supposed not to send them in RST
packets.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]