Mark Felder <[email protected]> writes: > On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote: >> Hi, >> >> On 16/09/14 11:14, FreeBSD Security Advisories wrote: >> > An attacker who has the ability to spoof IP traffic can tear down a >> > TCP connection by sending only 2 packets, if they know both TCP port >> > numbers. >> >> This may be a silly question but, if the attacker can spoof IP traffic, >> can't the same be done with a single RST packet? >> > > Yes, this is how Sandvine anti-piracy products work. They detect you > torrenting/P2P and then send an RST spoofed from the other end. You can > defeat this by dropping RST altogether, which is what many people do. > It's better if they don't blindly block all RST, and only to the ports > they use for P2P...
That's not quite the same; that's a full man-in-the-middle attack on the connection, so all of the connection information is available. The problem being fixed here allowed an attacker to do that without knowing the sequence numbers. > I'm torn on calling this an actual security problem. It's certainly a > bug -- defeated by a stateful firewall, as detailed in the SA -- but if > someone can spoof the traffic... you've a problem at a different layer > :-) Spoofing traffic is pretty easy. The reason it isn't generally a problem is that knowing what to spoof is more difficult. [I assume that's what feld@ actually meant, but it's an important distinction.] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
