| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 06 Jul 2005 20:17:36 -0600
From: Theo de Raadt <deraadt@....openbsd.org>
To: bugtraq@...urityfocus.com
Subject: ICMP vulnerabilities
Much more information on the ICMP vulnerabilities that allow you to blindly
tear down TCP sessions.
http://kerneltrap.org/node/5382
Please note these are not man-in-the-middle attacks. You can do them
blind. Totally blind. You do not need to know any information.
There are three attacks outlined. They require very small numbers of
packets.
My favorite twist to this would be to slow BGP sessions down so they
(1) stay in TCP slow-start, (2) run with very small MTU. To do both
these things requires about 128,000 icmp packets, if I recall (perhaps
we can get real figures from gont).
a) The BGP session would effectively stall, since it cannot keep
up with the updates.
b) The BGP daemon would not know that the session has stalled.
The sub-net starts to become de-syncronized.
Once you are doing very small TCP packets with slow-start, you can
slow down on your icmp attack. You just need to re-tickle slow start
once in a while.
c) Eventually the BGP daemon would notice (based on timeouts) that
the session has stalled, and reset the connection.
When that happens, it will start a new BGP session. You know this
has happened because over BGP you can see the peer leaving.
d) the BGP daemon creates a new session.
You bombard it with ICMP again.
Repeat a few times -- and everyone will now consider that peer to be
flapping, and you have successfully taken an ISP off the net.
Please read the article. My take on this is that there are people
who don't want to fix this.
Powered by blists - more mailing lists