Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Reflection Scan: an Off-Path Attack on TCP
From: xD 0x41 <secn3t () gmail com>
Date: Thu, 19 Jan 2012 13:22:35 +1100

On 18 January 2012 09:45, Jan Wrobel <wrr () mixedbit org> wrote:

This TCP session hijacking technique might be of interest to some of you.

The paper demonstrates how traffic load of a shared packet queue can
be exploited as a side channel through which protected information
leaks to an off-path attacker. The attacker sends to a victim a
sequence of identical spoofed segments. The victim responds to each
segment in the sequence (the sequence is reflected by the victim) if
the segments satisfy a certain condition tested by the attacker. The
responses do not reach the attacker directly, but induce extra load on
a routing queue shared between the victim and the attacker. Increased
processing time of packets traversing the queue reveal that the tested
condition was true. The paper concentrates on the TCP, but the
approach is generic and can be effective against other protocols that
allow to construct requests which are conditionally answered by the
victim. A proof of concept was created to asses applicability of the
method in real-life scenarios.

The paper in ps and pdf is available at http://mixedbit.org and

Proof of concept: https://github.com/wrr/reflection_scan


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Very cool :)
Thanks for showing this as a 'type' ofsequencing,id love to test this
with winBITS and see what makes a difference in there...but yea, nice
stuff from the snippets i have read and could comprehend without
making a packetting app :P hehe..great work, and great paper for ANY
hat to wear.
Might have to try it oneday and see if it is as effective as it seems!
great stuff tho, anything todo with bugs within TCP-IP stacks, should
be al;ways encouraged... thanks for the encouragement :-)
Cheers,and Ill maybe add more on this and another persons pi3.com.pl )
tcp ip session hijacking, wich people have even said, is impossible...
i guess they should find and watch that video, or just ask the author
of the blog, to explain it more...nmaybe would have them something to
actually see as a 'p0c'.... anyhow, many thanks in your input and,
again any futher addons and appendices to the papers just, let the
list know, and ill makesure the topic maybe gets a better coverage,
as, this is also a topic many ppl called me a wanker on...or maybe one
of them :s megh, i dont count now,. i just read the msgs from 3 ppl
and delete the rest :)
best way to use fd, is to  take what your iven, and stfu... i dont
know why somany ppl seem to call me this, whebn, i am only interested,
in bugs i can actually exploit...yet, somuch bullsh1t on this forum,
they have forgotten what a bug is, and,. what a poc is./....and now,
these are 'design flaws' lol....anyhow, pease keep up the ressearch,
we like it! Oh thats, the ppl like, 3 of ypou (maybe) who actually,
seem cool ;)
You also do, and your on a great topic, dont let idiots pick out any
flaws in anything on this subject, coz believe me, behind every
trolling ive been thru, that was the worst when i spoke about, methods
of hijacking tcp ip stack....and did not give out the poc...well, now,
the poc is available to see on video for those who are not idiots and
abuse, but actually, want to see it working :)
Ok, thats my 2bob, dont expect any answers, unless your a VERY well
known person, i will auto delete it, so, i hope to see you in my
channel, anytime online... and there, we could discuss ANYTHING :)
Why some of you are there, and see what i do, i guess are not the
haters on this list but, also, they get what 'theyre given' ,wich is
ALOTTTT in the cases where people are cool....so, i guess the moral of
the story is, dont smash the stack toooo hard....
enjoy budddy, im probably one of few who would even understand it but
anyghow :P Thanks!I

NOT a top poster anymore, omg, whats this, not using Glow XD , what is
this, madness!! omg!
Seriously folks, you should all read more of people like this's work,
and then maybe, contribute some of your own frigging srcs, instead of
relying on ppl like kcope to fist fuck you, wich is fine bvy me :> i
hope he fucks this list over, nonstop till your arses bleed, but hey,
thats JUST me! love you all long fucking time arseholes, goto hell,
and dont even try taklkin to me, ever, if your not already in the addy
book, you will fkn known about it and oh, i CAN ddos you, and i WILL,
so, anytime you like to shit me, in private, and wish to test your
fwall, go hard, i dun care, i should say, we...but,. it really doesnt
matter, coz, i dont even have to press the buttons for the wankers who
have al;ready flamed me in past anymore, you will only feel what i
love best, TCP./IP and, possibly UDP!
Have a fucking GREAT day arsefucker. Oh and, lickers are cool so, no
offence there nor for them :)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]