lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Dec 2003 12:14:44 -0500
From: Barney Wolff <barney@...abus.com>
To: Michal Zalewski <lcamtuf@...ttot.org>
Cc: bugtraq@...urityfocus.com, full-disclosure@...sys.com
Subject: Re: A new TCP/IP blind data injection technique?


On Fri, Dec 12, 2003 at 01:41:13AM +0100, Michal Zalewski wrote:
> 
>    B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
>       seems that there is a notable (albeit unidentified at the moment)
>       population of systems that do consider it to be optional when set to
>       zero, or do not verify it at all. I have conducted a quick check
>       as follows:
> 
>       - I have acquired a list of 300 most recent unique IPs that
>         had established a connection to a popular web server.
>       - I have sent a SYN packet with a correct TCP checksum to all
>         systems on the list, receiving 170 RST replies.
>       - I have sent a SYN packet with zero TCP checksum to all systems on
>         the list, receiving 12 RST replies (7% of the pool).
> 
>       As such, there seems to be a reason for some concern, even with
>       random IP IDs, since it only takes one RFC-ignorant party for the
>       attack against a session to succeed.

I suspect that in these cases the RSTs may be coming from firewalls rather
than end-hosts.  It would be more impressive and surprising if one ever
got a SYN-ACK in response.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists