:: Re: [DNG] Security news about TCP w…
Top Page
Delete this message
Reply to this message
Author: Simon Hobson
Date:  
To: dng@lists.dyne.org
Subject: Re: [DNG] Security news about TCP weakness
Go Linux <golinux@???> wrote:

> For those of you so inclined. Is this important, old news or just academic posturing?


I think it's all three !
It looks very much related to a CVE from 2004
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0230

Fundamentally, if someone can spoof a packet with the right source IP (trivial), right source port (may or may not be trivial), and (most importantly) the right sequence number - they can pretend to be the other end in any TCP connection. That's the basic issue, and there really isn't any way around that - if you receive a packet with the right headers then it's indistinguishable from any other packet with the right headers.

Address is trivial to spoof - you only need to know that there is a conversation going on and the addresses of the end points. Port numbers are bit harder - one end is likely to be a well known port (eg port 80 for HTTP), but the other (the originating end) is likely to be a random number between 1024 and 65535, thus making it less than trivial to guess.
The sequence number is (AIUI, fundamentally) there to allow packet identification within the stream so the data stream can be re-assembled with all the bits in the right order - and for this function can simply be a counter. Because a simple counter makes this sort of attack less difficult, I think things got changed so it's a pseudo-random sequence - as long as both ends know the rules, the sequence can be anything.

The simplest thing you can do is to send things like RST packets and terminate the connection - thus causing a denial of service. With a bit more work, you can in theory inject false data packets and if you get them in, in the right time, they will be used instead of the real packet sent by the real other end.

I can't help thinking that without being able to see any traffic, just figuring out which source ports are in use, AND the exact timing of the communication, is going to be sufficiently non-trivial as to make "I can alter contents of [web pages | emails | whatever ]" claims somewhat suspect. So I suspect that this new (if it is) revelation doesn't really make for a massive new attack vector.

The key thing is figuring out what sequence number the other end will be sending, and the paper claims to have figured out a new and better way of doing that. I really don't know enough about the subject to know whether this paper is news or, as you suggest, just academic posturing.