Hosting Provided By

Re: [Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability

From: Milani Paolo <Paolo.Milani(at)TILAB.COM>
Date: Wed Apr 28 2004 - 07:41:37 EDT

> No, BGP does not have fixed port numbers for both peers. Like all

ok, i got this wrong. BGP has the most critical vulnerability to this type of attack for other reasons.

> BGP doesn't really need to have RST at all. A simple ACL restricting

The same attack can be done with SYN packets instead (according to cisco advisory at least), so restricting/rate limiting reset packets is not a solution.

> The TCP spec will not, I hope, be changed.

Whether or not the spec is changed, and whichever method is used in future tcp implementations to bypass this problem, it will make tcp implementations more restrictive in which tcp reset packets they accept. Which means that snort's stream state tracking/reassembly will have to take this into account, when deciding what to do with a reset packet, otherwise it may find itself out of sync from the end system, and therefore vulnerable to evasion.

In fact, I hope that the spec is changed, rather than have each tcp stack implementation solve the problem with it's own ad-hoc fix. The issue will have to be fixed at the tcp level, since it is a vulnerability in the protocol.

ciao
paolo milani

Do you need help?

Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to MailAdmin@tilab.com. Thank you

This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id%8166&opick

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Apr 28 08:02:10 2004

This message: [ Message body ]
Next message: Smith, Donald: "RE: [Snort-devel] New opportunity for IDS evasion in patches totcpprotocol vulnerability"
Previous message: Erik Fichtner: "[Snort-devel] snort 2.1.3RC1 perfmon feature patch (RST/FIN)"
Maybe in reply to: Milani Paolo: "[Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability"
In reply to Michael Richardson: "Re: [Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:12 EDT