lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200404250027.i3P0RuRJ083241@mailserver2.hushmail.com>
Date: Sat, 24 Apr 2004 17:27:56 -0700
From: <soby@...hmail.com>
To: bugtraq@...urityfocus.com
Subject: RE: US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP


A similar issue exists that allows someone to kill TCP connections that
go through many types of firewalls.  If the firewalls involved don't
adequately follow the sequence numbers being used in a connection, you
can usually indirectly kill the connection by sending a reset packet
with correct source/dest IPs and ports but a random sequence number.
 Many firewalls will see this reset and remove the connection from their
state tables, even if the end host discarded this bad reset.  If the
real source or destination hosts send additional traffic over this connection
the firewall will see this as bad traffic and usually send a valid reset
to that host, officially killing the connection.  The actual firewall
behavior will vary depending on the specific firewall but the end result
is always that the connection dies. 

This method also works with FINs in some cases because many firewalls
treat FINs in a similar way as resets instead of allowing long term half
closed connections.

I've personally done this with about 3 different firewalls but I don't
see any reason that it wouldn't work with any firewall that doesn't follow
sequence numbers for every connection (failover pairs come to mind in
particular).  Combined with predictable source ports, it makes a fairly
decent DoS against hosts going through firewalls to known points.

This issue was touched on in one of the Cisco advisories in an indirect
and round-about way.  Sorry if someone else has brought this up before
in a different forum but I don't remember seeing or hearing about it
and think it deserves to be mentioned in this thread. 

-Brian Soby



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ