Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

re:Breaking the checksum (a new TCP/IP blind data injection technique
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 15 Dec 2003 20:07:19 +0100 (CET)
On Mon, 15 Dec 2003 LARSJ () inel gov wrote:


This is a good line of thought that needs to be re-addressed every now
and then, but I can remember discussing this exact attack ten years ago.
There's even an RFC on it. RFC 1858 if memory serves.


Lars,

Nope. The set of attacks discussed in RFC1858 is indeed old, but has
nothing to do with the TCP/IP injection vector I have described. The
RFC1858 attacks describe firewall-bypassing attacks: "tiny fragment
attack", where a malicious TCP or UDP packet is sent in chunks too small
to be properly analyzed by the device; and "source porting", where the
header of a previously analyzed packet is modified by an overlapping
chunk.

Both techniques are old, well known and easy to prevent (and, indeed,
prevented by all modern implementations). The attack I described, for a
change, is not aimed at bypassing a firewall, and seems to be pretty damn
impossible to fix without breaking some functionality.

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-15 20:02 --

   http://lcamtuf.coredump.cx/photo/current/

  By Date           By Thread  

Current thread:
  • re:Breaking the checksum (a new TCP/IP blind data injection technique Michal Zalewski (Dec 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]