[Csci551-talk] strange article..

mike wakerly wakerly at usc.edu
Wed Apr 21 01:44:49 PDT 2004 

On Apr 21, 2004, at 1:21 AM, Rahul Pilani wrote:
> Is it similar to age-old hacking techniques like buffer-overflow etc?..

No, the flaw is not nearly as general. It seems that many TCP stacks 
incorrectly handle RST commands in a TCP connection, and as a 
consequence, could be tricked into closing a connection. It is 
important to realize that this seems to be an implementation flaw -- 
TCP doesn't need to be changed, but some stacks may.

> >>Routers continually exchange important updates about the most 
> efficient traffic routes between large networks.
>
> How is exchanging routes concerned with TCP ?
> I think what the so called "Technical Writer" is referring to some 
> routing protocol like BGP..

Right, I think something I read earlier today about this mentioned BGP 
explicitly. Whatever that article was, it suggested BGP connections 
could be targeted because (1) they are generally left open (eg, 
long-lived), and (2) resetting and hence killing such a connection 
could cause wider-spread disconnection -- at least until, say, 
withdrawn routes are re-advertised.

> >>Continued successful attacks against routers can cause them to go 
> into a stand-by mode, known as "dampening," that can persist for 
> hours.
>
> What is the dampening mode that is being talked about?.. Is it OS 
> specific or is part of any protocol?

No idea :)

> >>Experts previously maintained such attacks could take between four 
> to 142 years to succeed because they require guessing a rotating 
> number from
> >>roughly 4 billion possible combinations. Watson said he can guess 
> the proper number with as few as four attempts, which can be 
> accomplished within seconds.
>
> Combinations of what?..
> Does anybody have anymore details of what this article is all about?? 
> or is it just paranoia?..

To simplify, injecting a packet into a TCP flow is hard because 
predicting the sequence number is hard. The flaw here is that someone 
observed a TCP implementation that accepts RST packets with not only 
the next sequence number, but any sequence number within a certain 
window. By reducing the space of acceptable sequence numbers, the 
difficulty in injecting a packet is reduced.

I'd say this is mostly paranoia. It's an easy problem to fix, and in 
the meantime, not likely to be terribly widespread.

Cheers,
Mike

More information about the Csci551-talk mailing list