lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: fulldisc at sun.consumer.org.il (Shachar Shemesh)
Subject: A new TCP/IP blind data injection technique?

Michal Zalewski wrote:

>Consider the following: Bob sends a TCP/IP ACK packet to Alice, with a
>data payload and within an established session, of which session the
>attacker is aware (attacker-induced or server to server traffic, perhaps).
>Bob's packet exceeds the MTU somewhere en route (be it on some WAN
>interface, or on a local PPPoA, PPPoE or VPN interface), a situation not
>quite unheard of; the IP packet gets fragmented in order to be delivered
>successfully.
>  
>
This attack is timing sensitive, route sensitive, and is highly 
unreliable. Those problems aside, however, there is a more fundemental 
problem. You need to time each and every fragmented packet you send to 
always arrive before or after (depending on receiving machine's IP 
stack) the corresponding legit fragment, yet before the entire packet is 
assembled. All of that, without having any knowledge about either side 
of the communication parties.

How do you get the legit connection you are trying to overload to 
fragment at the place you mention. Most TCP/IP connections employ PMTU 
discovery, and then split the stream at layer 4, rather then perform 
Layer 3 assembly. As a result, fragments in TCP/IP communication is 
extremely rare. The probes I know of show that major sites hardly ever 
see any fragments at all, outside of deliberate attacks.

Even if you found a victim that does not employ PMTU, fragmentation is 
still a rare occurance.

Even if you found a victim that does not employ PMTU, connecting to a 
machine where the route requires fragmentation, that splitting is 
performed by the routers en-route. Most routers split the packet with 
the large chunk being at the begining. Assuming MTU can never go below 
~300 bytes (a conservative number - most will say 512), this means the 
entire IP and TCP headers are in the same fragment, as well as quite a 
chunk of the actual TCP payload.

All in all, an interesting attack vector, but I'm not sure how practical 
it is.

             Shachar

-- 
Shachar Shemesh
Open Source integration & consulting
Home page & resume - http://www.shemesh.biz/

Powered by blists - more mailing lists