|
Full Disclosure
mailing list archives
Re: A new TCP/IP blind data injection technique?
From: Barney Wolff <barney () databus com>
Date: Fri, 12 Dec 2003 12:14:44 -0500
On Fri, Dec 12, 2003 at 01:41:13AM +0100, Michal Zalewski wrote:
B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
seems that there is a notable (albeit unidentified at the moment)
population of systems that do consider it to be optional when set to
zero, or do not verify it at all. I have conducted a quick check
as follows:
- I have acquired a list of 300 most recent unique IPs that
had established a connection to a popular web server.
- I have sent a SYN packet with a correct TCP checksum to all
systems on the list, receiving 170 RST replies.
- I have sent a SYN packet with zero TCP checksum to all systems on
the list, receiving 12 RST replies (7% of the pool).
As such, there seems to be a reason for some concern, even with
random IP IDs, since it only takes one RFC-ignorant party for the
attack against a session to succeed.
I suspect that in these cases the RSTs may be coming from firewalls rather
than end-hosts. It would be more impressive and surprising if one ever
got a SYN-ACK in response.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: A new TCP/IP blind data injection technique?, (continued)
Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
|
Intro
