Re: the next generation of nuke.c

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Mark: "Re: IP Spoofing and Vendors' attitude"
• Previous message: Timothy Newsham: "Re: Chances of guessing?"
• Maybe in reply to: Scott D. Yelich: "the next generation of nuke.c"
• Next in thread: Dorian Deane: "Re: the next generation of nuke.c"

	 
	 More of a denial of service attack, but with the current discussion on
	 bugtraq/firewalls regarding sequence number guessing, I thought I'd pu
	t
	 forward a method on killing an established TCP connection, besides the
	 (mis)usage of ICMP unreachable messages.  It would also appear, that
	 although this attack is more difficult to launch, it would also be mor
	e
	 difficult to prevent.

	 Since it's possible to guess sequence numbers of the packets in a TCP
	 connection, it seems it would be possible to then send a fake FIN mess
	age to
	 our target, followed directly by an ACK to acknowledge the closing
	 of the connection.

	 If you wanted to kill a connection, all you would have to do is flood 
	one
	 of the ends with FIN/ACK packets until you get the sequence numbers
	 correct.

	 - Oliver

Well, RST is more definitive than FIN, somehow...

That said, the attack you cite is harder to carry out than you think.
It's easy to guess the next starting sequence number for a connection;
it's much harder to know what the sequence number status is of an existing
connection unless you're sniffing the wire.  You'd also have to know
what the client's port number was; again, without sniffing the wire, that's
hard to come by, unless one of the two sites has an overly-cooperative
SNMP server.

• Next message: Mark: "Re: IP Spoofing and Vendors' attitude"
• Previous message: Timothy Newsham: "Re: Chances of guessing?"
• Maybe in reply to: Scott D. Yelich: "the next generation of nuke.c"
• Next in thread: Dorian Deane: "Re: the next generation of nuke.c"