Dear all,
I would like to get some details on the tcp spoofing attack.
I thought it involved source routing (IP option), but this is supposed
to only affects the attacker's packets, not the replies. Doesn't the
source routing affect the reply route in a way or another?
Has anyone a proof of concept source code?
Kind regards
Ludovic Joly
In article <1136395146.410980.222170@g14g2000cwa.googlegroups.com>,
"Ludovic Joly"
> Dear all,
>
> I would like to get some details on the tcp spoofing attack.
>
> I thought it involved source routing (IP option), but this is supposed
> to only affects the attacker's packets, not the replies. Doesn't the
> source routing affect the reply route in a way or another?
>
> Has anyone a proof of concept source code?
>
> Kind regards
> Ludovic Joly
I have to correct my response in the other thread. I just checked RFC
793, and it says:
If the lower level is IP (or other protocol that provides this
feature) and source routing is used, the interface must allow the
route information to be communicated. This is especially important
so that the source and destination addresses used in the TCP
checksum be the originating source and ultimate destination. It is
also important to preserve the return route to answer connection
requests.
RFC 1122 goes into further detail:
When a TCP connection is OPENed passively and a packet
arrives with a completed IP Source Route option (containing
a return route), TCP MUST save the return route and use it
for all segments sent on this connection. If a different
source route arrives in a later segment, the later
definition SHOULD override the earlier one.
This explains why it's so important to block source-routed packets at
your network periphery.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Thanks very much for going through the RFCs and answer this question. I
couldn't imagine anymore yesterday how the attack could be (or have
been) realistic.
Ludovic Joly
> I would like to get some details on the tcp spoofing attack.
TCP is as secure as the sequence numbers are not easily predictable.
> Has anyone a proof of concept source code?
You'll find some here:
http://www.osvdb.org/4030
Instead of using TCP packets for reset attacks, you could insert data
into a connection, too, as described here:
http://kerneltrap.org/node/3072
A comparison about different TCP implementations and how vulnerable they
are, you'll find here:
http://lcamtuf.coredump.cx/newtcp/
Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r