From owner-freebsd-security@FreeBSD.ORG  Tue Apr 20 13:47:17 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BD30116A520
	for <freebsd-security@freebsd.org>;
	Tue, 20 Apr 2004 13:47:17 -0700 (PDT)
Received: from post.kyx.net (mail.kyx.net [216.232.31.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 66A8943D49
	for <freebsd-security@freebsd.org>;
	Tue, 20 Apr 2004 13:47:15 -0700 (PDT)	(envelope-from dr@kyx.net)
Received: from zylinator.zorg (unknown [216.232.31.80])
	by post.kyx.net (Postfix) with ESMTP
	id 96CDDD0A2C; Tue, 20 Apr 2004 13:58:10 -0700 (PDT)
From: Dragos Ruiu <dr@kyx.net>
Organization: All Terrain Ninjas
To: Charles Swiger <cswiger@mac.com>, freebsd-security@freebsd.org
Date: Tue, 20 Apr 2004 13:43:44 -0700
User-Agent: KYX-CP/M-FNORD5602
References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2>
	<xzphdve35oa.fsf@dwp.des.no> <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com>
In-Reply-To: <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200404201343.44342.dr@kyx.net>
Subject: Re: TCP RST attack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2004 20:47:17 -0000

On April 20, 2004 01:28 pm, Charles Swiger wrote:
> My take on this is pretty close to yours: this isn't a new
> vulnerability and it's difficult to perform this type of attack under
> most circumstances without being able to sniff the traffic going by.
> (Basicly, sending a RST is a simple form of data injection via the
> classic man-in-the-middle attack.  ACKs and RSTs count as data, too.

Definitely not a new vulnerability. Just a newer analysis with more
factors accounted for.

> Using a tiny window (say ethernet MTU or smaller) would greatly
> increase the amount of work an attacker has to do to create a valid RST
> to zap an open connection, admittedly at the cost of adding a lot of
> latency to such TCP connections.  Hmm, how about a mechanism that would
> let one control the maximum TCP window size the system will permit on a
> per-host or per-network-block basis?

But I'm told most providers crank UP their window sizes to improve BGP
restarts... So reducing the windows may negatively affect other things.
(Need to be careful that the cure isn't worse than the disease.)

cheers,
--dr

-- 
Top security experts.  Cutting edge tools, techniques and information.
Vancouver, Canada	April 21-23 2004  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp