<<< Date Index >>>     <<< Thread Index >>>

Re: A new TCP/IP blind data injection technique?



* Michal Zalewski (lcamtuf@xxxxxxxxxxx) wrote:
>    B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
>       seems that there is a notable (albeit unidentified at the moment)
>       population of systems that do consider it to be optional when set to
>       zero, or do not verify it at all. I have conducted a quick check
>       as follows:
> 
>       - I have acquired a list of 300 most recent unique IPs that
>         had established a connection to a popular web server.
>       - I have sent a SYN packet with a correct TCP checksum to all
>         systems on the list, receiving 170 RST replies.
>       - I have sent a SYN packet with zero TCP checksum to all systems on
>         the list, receiving 12 RST replies (7% of the pool).
> 
>       As such, there seems to be a reason for some concern, even with
>       random IP IDs, since it only takes one RFC-ignorant party for the
>       attack against a session to succeed.

Is it possible the RSTs you're seeing are from firewalls which send an
RST due to rules in the firewall?  It could be that those 12 hosts
wouldn't actually accept a connection where the SYN packet has a zero
TCP checksum.  Admittedly, this is still RFC ignorance but it may not be
an actual attackable vector.  Could a test be made by modifying an
active web server to send SYN+ACK's w/ TCP checksum of 0 after having
received a SYN and see if any of the clients respond?  This would likely
make the server unreachable for most people, of course.  Perhaps
construct a setup where a SYN+ACK w/ an invalid TCP checksum is sent and
one with a valid TCP checksum and have some method to determine if the 0
checksum is accepted.

Just some thoughts.

        Stephen

Attachment: signature.asc
Description: Digital signature