From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 13:36:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04E3A16A4CE for ; Tue, 20 Apr 2004 13:36:13 -0700 (PDT) Received: from post.kyx.net (mail.kyx.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9179043D53 for ; Tue, 20 Apr 2004 13:36:12 -0700 (PDT) (envelope-from dr@kyx.net) Received: from zylinator.zorg (unknown [216.232.31.80]) by post.kyx.net (Postfix) with ESMTP id 3DEEFD0A2C; Tue, 20 Apr 2004 13:47:07 -0700 (PDT) From: Dragos Ruiu Organization: All Terrain Ninjas To: Mike Tancsa , des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= ) Date: Tue, 20 Apr 2004 13:32:40 -0700 User-Agent: KYX-CP/M-FNORD5602 References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> In-Reply-To: <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200404201332.40827.dr@kyx.net> cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 20:36:13 -0000 On April 20, 2004 11:43 am, Mike Tancsa wrote: > At 02:26 PM 20/04/2004, Dag-Erling Sm=F8rgrav wrote: > >Dragos Ruiu writes: > > > On April 20, 2004 10:44 am, Dag-Erling Sm=F8rgrav wrote: > > > > The advisory grossly exaggerates the impact and severity of this > > > > fea^H^H^Hbug. The attack is only practical if you already know the > > > > details of the TCP connection you are trying to attack, or are in a > > > > position to sniff it. > > > > > > This is not true. The attack does not require sniffing. > > > >You need to know the source and destination IP and port. In most > >cases, this means sniffing. BGP is easier because the destination > >port is always 179 and the source and destination IPs are recorded in > >the whois database, but you still need to know the source port. > > While true, you do need the source port, how long will it take to > programmatically go through the possible source ports in an attack ? That > only adds 2^16-1024 to blast through Also keep in mind ports are predictable to varying degrees depending on the vendor or OS, which further reduces the brute force space you have to=20 go though without sniffing. That's what this thing boils down to imho - the space you have to blast through, the time you have to do it in, and=20 the bandwidth/rate available to do it. And there are competing factors, and questions about what are the real world values. I'm still waiting on final answers... cheers, =2D-dr =2D-=20 Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp