On Wed, 01 Oct 2008 14:52:29 +0200 Leon Dippenaar <[EMAIL PROTECTED]> wrote:
> Hi there, > > is there any weight to this new story on slashdot > http://it.slashdot.org/it/08/10/01/0127245.shtml > > about a new attacker possible to break any tcp stack? Sounds rather > shady, so here I am, perhaps you guys have your ears closer to the ground > > Regards > > Seems possible. Here: http://cr.yp.to/syncookies/archive you will find the passage " An attack would still need to know our random secret in order to spoof a connection without seeing any of our outgoing traffic. If an attacker can see our outgoing traffic, then they will be able to spoof a connection, but they could have done that anyway, even under the secure sequence number scheme we currently use. " and here: http://it.slashdot.org/it/08/10/01/0127245.shtml " Sockstress computes and stores so-called client-side SYN cookies and enables Lee and Louis to specify a destination port and IP address. The method allows them to complete the TCP handshake without having to store any values, which takes time and resources. "We can then say that we want to establish X number of TCP connections on that address and that we want to use this attack type, and it does it," Lee said. " we have the implication(?) that the exploit samples the target server for a number of SYN cookies that will allow them to crack the 24-bit 'secret' hash that the server is using. Once that is done, they can then forge a large number of packets from random IP addressess that look like correct client acks of the server's syn cookie. A server might counter by using a new secret hash for each session request (leaving it open to a resource-hog attack) or use a sequential mod of it's hash for each new request made... Dhu
