Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: tcp,guardent,bellovin

  • From: bert hubert
  • Date: Mon Mar 12 17:30:23 2001

[also posted to Bugtraq separately]

On Mon, Mar 12, 2001 at 09:50:08AM -0500, Steven M. Bellovin wrote:

> >Any details? Any incidents using the exploit guardent has
> >identified?
> Not to my knowledge...
> The folks at Guardent are talking to CERT and to various vendors about 
> the problem before releasing any details.

The 50.000 foot view:
There is a further vulnerability in TCP/IP if you can determine the Initial
Sequence Number without actually starting a connection. By exploiting your
knowledge of the remote host, a telephone modem user can cause webservers to
become massive Denial of Service agents, targeting arbitrary targets. Lots
of consumer editions of windows come with easily guessable sequence numbers.

I actually tried this and it works, but because I was busy with another
project (see .sig), I neglected to share it with the world. However, as
Guardent says, it is pretty hard to actually do this. Once the exploit is
out, it becomes far easier. It took me 2 days of non-stop coding to get it to

I'm not sure if this is what Guardent means, but I suspect it is.

In more detail:
A regular HTTP TCP/IP session looks (modulo some details - read Stevens
TCP/IP Illustrated for full explanation) like this:

Browser computer                     Server Computer
SYN, my sequence number is 25
                                     SYN|ACK, my number is 14
[25] GET /bigfile
                                     [14]  ACK up til 25
                                     [14]  500 bytes of bigfile
                                     [514] 500 more bytes
[38] ACK up til 514
                                     [1014] 1000 more bytes     
                                     [2014] 1000 more bytes
[38] ACK up til 2014
                                     [3014] 1000 more bytes
                                     [4014] 1000 more bytes
[38] ACK up til 4014

   Now the important bit: the Server Computer sends at the rate that properly
   received data is ACKnowlegded.

Normally, the only thing that a receiving computer can achieve is send ACKs
more rapidly then data is actually coming in, and thereby DoS itself. Not
very interesting.

Now, if you are able to guess the number '14' above, and you know the packet
sizes a server will produce, you can invent ACKs from arbitrary source IP
addresses. The Server Computer doesn't notice anything interesting, and
blasts out data at speeds possibly exceeding its interface or line speed.

   If you can create fake ACKnowlegdements, you determine the amount of data
   generated. If you fake them rapidly, this is called Denial of Service.

The dangerous bit is that you can now DoS others. Just produce ACK packets
that look like they were produced by your desired target, and blast away.

If media people want to have a fuller understanding, please contact me. I am
more then willing to explain at length if it helps prevent incorrect


bert hubert

--      Versatile DNS Services  
Trilab                       The Technology People   
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.