I agree that it's not new, or appears not to be new. What bothers me about it is that now it is *very* well known and the "kiddies" will start making use of it for "fun and profit"....
Ex ----- Original Message ----- From: "Michal Zalewski" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 20, 2004 3:45 PM Subject: Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00 > On Tue, 20 Apr 2004, Crist J. Clark wrote: > > > Does anyone know WTF they are trying to say in this AP article, > > "Core Internet Technology Is Vulnerable," > > http://www.uniras.gov.uk/vuls/2004/236929/index.htm > > Just to have my $.02, I've posted a quick IMO piece about this to > vulndiscuss (just as, without doubt, dozens of others decided to do), but > I'm not sure it'll make it through. > > Here it is, for your amusement: > > /.../ > > This vulnerability report, in essence, states that data injection attacks > in TCP/IP sessions (and in particular, forcing connections to be dropped > by spoofing RST packets), do not require the attacker to guess the exact > sequence number, but rather operate within the range of sequence numbers > defined by window size / window scale parameters of the connection. This > report is based on Mr. Watson's presentation at CanSecWest this year. > > I see this report comes from a reputable source and mentions, among > others, Steve Bellovin as one of folks involved in helping prepare it, but > I feel utterly confused and stumped by how it deserves being called a new > vulnerability. Although the original paper is valid, and it is definitely > a great conference speech material, I fail to see how this attack may be > even remotely considered a new vulnerability. > > With just a quick google, I can find references going back to as early as > 1996 IP spoofing paper that clearly mentions the ability to insert data > into processing buffer by merely fitting into the receive window: > > http://www.networkcommand.com/docs/ipspoof.txt > > Similarly, CERT advisory released after Tim Newsham and I published our > TCP/IP ISN prediction papers (CA-2001-09) mentioned the very same > possibility. Countless other less or more specific references to this > common knowledge may be found across the web in no time, perhaps dating > back to even earlier years. > > Connection dropping attacks are a specific case of data injection > (connection hijacking) blind spoof attacks - the most popular and most > commonly practiced case, that is. As such, I think there is both extensive > prior knowledge (and art) for this vulnerability, and branding a > subvariant of it a new attack is a tad misleading (shame on NISCC for not > researching the issue?). > > That said, kudos to Watson: it is definitely good to see this problem > being finally discussed in broad daylight; I think it would be good to see > some kludges intended to mitigate it a bit. > > -- > ------------------------- bash$ :(){ :|:&};: -- > Michal Zalewski * [http://lcamtuf.coredump.cx] > Did you know that clones never use mirrors? > --------------------------- 2004-04-20 21:05 -- > > http://lcamtuf.coredump.cx/photo/current/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
