[Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability
Michael.Richardson at ...2449...
Tue Apr 27 10:45:19 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Milani" == Milani Paolo <Paolo.Milani at ...865...> writes:
Milani> take that much time. This is a big issue for protocols that
Milani> have fixed port numbers for both peers (such as bgp). In
No, BGP does not have fixed port numbers for both peers. Like all
protocols, one end picks a "random" port.
Milani> fact some vendors are already releasing fixes, and if my
Milani> understanding is correct these fixes break the current tcp
Milani> standard by requiring more restrictive conditions for a rst
Milani> packet to be valid: specifically, i think, that the seuqnce
Milani> number be exactly the expected sequence number expected for
Milani> the next packet, rather than just any "in window" sequence
Milani> number. The tcp standard itself will perhaps be modified in
Yes, this is all bullshit.
BGP doesn't really need to have RST at all. A simple ACL restricting
TCP RSTs to port 179 would suffice.
If you need RSTs, use TCPMD5 or IPsec.
Milani> anti-idsers will have a new opportunity for evasion. If
Milani> some tcp/ip stacks accept all in window rst packets, while
Milani> others apply more restrictive conditions, we have one of
Milani> those ambiguity situations that allow evasion/insertion
Milani> attacks against network ids. When the stream reassembly
Milani> preprocessor receives a packet that is in the window but is
Milani> not valid by these more restrictive criteria, what should it
Milani> do? In the absence of further knowledge, probably NOT flush
note it - if the connection later on dies then shout louder.
Milani> the stream, because insertion is really much less of an
Milani> issue than evasion. If it does flush, and the target host
Milani> doesn't, an attacker could evade detection by tcp
Milani> segmentation, while sending fake reset packets. Once it is
Milani> clear how this problem with tcp will be solved, we will
Milani> probably need a small patch for stream4 to take care of
The TCP spec will not, I hope, be changed.
It isn't broken.
Checking the ACK sequence number in the RST will increase effort for
the attack from 2^18 to 2^36 or so. IPsec will get rid of it.
] ON HUMILITY: to err is human. To moo, bovine. [
] Michael Richardson, Seaway Networks Corporation [
] michael at ...2449... http://www.seawaynetworks.com/ [
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
This message and any attachments are intended only for the use of the
recipient(s) to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
Unless you are the addressee (or authorized to receive for the addressee),
you may not review, use, copy or disclose the message or any information
contained in the message. If you have received the message in error,
please advise the sender by reply e-mail and delete the message and any
attachments. Thank you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Snort-devel