From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 10:44:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3E0316A4CE for ; Tue, 20 Apr 2004 10:44:58 -0700 (PDT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89A9743D3F for ; Tue, 20 Apr 2004 10:44:58 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 9E3DA531B; Tue, 20 Apr 2004 19:44:57 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 32F0B530D; Tue, 20 Apr 2004 19:44:38 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id D4A7833C6C; Tue, 20 Apr 2004 19:44:37 +0200 (CEST) To: Mike Tancsa References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Tue, 20 Apr 2004 19:44:37 +0200 In-Reply-To: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> (Mike Tancsa's message of "Tue, 20 Apr 2004 12:57:25 -0400") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 17:44:58 -0000 Mike Tancsa writes: > http://www.uniras.gov.uk/vuls/2004/236929/index.htm The advisory grossly exaggerates the impact and severity of this fea^H^H^Hbug. The attack is only practical if you already know the details of the TCP connection you are trying to attack, or are in a position to sniff it. The fact that you can attack a TCP connection which passes through a network you have access to sniff should not be a surprise to anyone; the remaining cases require spoofing of a type which egress filtering would prevent, if only people would bother implementing it. I don't believe BGP sessions are as exposed as the advisory claims they are, either. The possibility of insertion attacks (which are quite hard) was predicted six years ago, when RFC 2385 (Protection of BGP Sessions via the TCP MD5 Signature Option) was written. RST attacks may cause route flapping, but that can be avoided with a short hysteresis (though this may be impractical for backbone routers) Insertion attacks against SSL connections are practically impossible, so the only risk there is an RST attack, which most browsers should handle gracefully. DNS connections (even zone transfers) are so short-lived that you would have to be very, very lucky to pull off an insertion or RST attack against. The most likely attack scenario to come out of this is probably gamers and IRC weenies kicking eachother off servers (the server's IP address and port number are known, the servers often reveal client IP addresses to other clients, and the client often uses a fixed source port, or one from a relatively small range) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no