Hosting Provided By

[Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability

From: Milani Paolo <Paolo.Milani(at)TILAB.COM>
Date: Tue Apr 27 2004 - 12:06:57 EDT

Hello all,

As most people know, one of the security issues of the moment is a denial of service vulnerability in the tcp protocol itself. If the ips and ports of a tcp communication are known, an attacker can shoot spoofed reset packets with random sequence numbers and quickly (within a few minutes it seems) get the connection to reset. The problem is that even though sequence numbers are 32 bits (which would be hard to guess) a reset packet only has to be within the sliding window to be acceptable: and since windows are pretty large nowadays, making a guess does not take that much time. This is a big issue for protocols that have fixed port numbers for both peers (such as bgp). In fact some vendors are already releasing fixes, and if my understanding is correct these fixes break the current tcp standard by requiring more restrictive conditions for a rst packet to be valid: specifically, i think, that the seuqnce number be exactly the expected sequence number expected for the next packet, rather than just any "in window" sequence number. The tcp standard itself will perhaps be modified in this direction. As these patches start to take hold, anti-idsers will have a new opportunity for evasion. If some tcp/ip stacks accept all in window rst packets, while others apply more restrictive conditions, we have one of those ambiguity situations that allow evasion/insertion attacks against network ids. When the stream reassembly preprocessor receives a packet that is in the window but is not valid by these more restrictive criteria, what should it do? In the absence of further knowledge, probably NOT flush the stream, because insertion is really much less of an issue than evasion. If it does flush, and the target host doesn't, an attacker could evade detection by tcp segmentation, while sending fake reset packets. Once it is clear how this problem with tcp will be solved, we will probably need a small patch for stream4 to take care of this.

ciao,
Paolo

Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to MailAdmin@tilab.com. Thank you

This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Apr 27 12:55:35 2004

This message: [ Message body ]
Next message: Marc Norton: "RE: [Snort-devel] snort limitations"
Previous message: Todd Sproull: "[Snort-devel] snort limitations"
Next in thread: Michael Richardson: "Re: [Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability"
Reply: Michael Richardson: "Re: [Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:12 EDT