[Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability

Milani Paolo Paolo.Milani at ...866...
Tue Apr 27 09:08:01 EDT 2004

Hello all,

As most people know, one of the security issues of the moment is a denial of service vulnerability in the tcp protocol itself.
If the ips and ports of a tcp communication are known, an attacker can shoot spoofed reset packets with random sequence numbers and quickly (within a few minutes it seems) get the connection to reset. The problem is that even though sequence numbers are 32 bits (which would be hard to guess) a reset packet only has to be within the sliding window to be acceptable: and since windows are pretty large nowadays, making a guess does not take that much time.
This is a big issue for protocols that have fixed port numbers for both peers (such as bgp).
In fact some vendors are already releasing fixes, and if my understanding is correct these fixes break the current tcp standard by requiring more restrictive conditions for a rst packet to be valid: specifically, i think, that the seuqnce number be exactly the expected sequence number expected for the next packet, rather than just any "in window" sequence number.
The tcp standard itself will perhaps be modified in this direction.
As these patches start to take hold, anti-idsers will have a new opportunity for evasion.
If some tcp/ip stacks accept all in window rst packets, while others apply more restrictive conditions, we have one of those ambiguity situations that allow evasion/insertion attacks against network ids.
When the stream reassembly preprocessor receives a packet that is in the window but is not valid by these more restrictive criteria, what should it do?
In the absence of further knowledge, probably NOT flush the stream, because insertion is really much less of an issue than evasion. If it does flush, and the target host doesn't, an attacker could evade detection by tcp segmentation, while sending fake reset packets.
Once it is clear how this problem with tcp will be solved, we will probably need a small patch for stream4 to take care of this.


Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...2137... Thank you

More information about the Snort-devel mailing list