From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 13:23:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 150F416A4CE for ; Tue, 20 Apr 2004 13:23:47 -0700 (PDT) Received: from avalon.linuxpowered.com (avalon.linuxpowered.com [64.246.60.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D39D743D1D for ; Tue, 20 Apr 2004 13:23:46 -0700 (PDT) (envelope-from diz@linuxpowered.com) Received: from linuxpowered.com (txirvcom-itnfw01.verizon.com [::ffff:192.76.54.20]) (AUTH: CRAM-MD5 diz@linuxpowered.com) by avalon.linuxpowered.com with esmtp; Tue, 20 Apr 2004 15:32:43 -0500 Message-ID: <408586B2.8020900@linuxpowered.com> Date: Tue, 20 Apr 2004 15:23:14 -0500 From: masta Organization: wifibsd.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <200404201113.27737.dr@kyx.net> <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> In-Reply-To: <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: masta@wifibsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 20:23:47 -0000 Does anybody remember this: http://lcamtuf.coredump.cx/newtcp/ This seems fairly clear to me that guessing our tcp sequences is near omnipotent power. -Jon Mike Tancsa wrote: > At 02:26 PM 20/04/2004, Dag-Erling Smørgrav wrote: > >> Dragos Ruiu writes: >> > On April 20, 2004 10:44 am, Dag-Erling Smørgrav wrote: >> > > The advisory grossly exaggerates the impact and severity of this >> > > fea^H^H^Hbug. The attack is only practical if you already know the >> > > details of the TCP connection you are trying to attack, or are in a >> > > position to sniff it. >> > This is not true. The attack does not require sniffing. >> >> You need to know the source and destination IP and port. In most >> cases, this means sniffing. BGP is easier because the destination >> port is always 179 and the source and destination IPs are recorded in >> the whois database, but you still need to know the source port. > > > While true, you do need the source port, how long will it take to > programmatically go through the possible source ports in an attack ? > That only adds 2^16-1024 to blast through > > ---Mike > > > > > >> DES >> -- >> Dag-Erling Smørgrav - des@des.no > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >