[Snort-devel] New opportunity for IDS evasion in patches to tcp protocol vulnerability

Michael Richardson Michael.Richardson at ...2449...
Tue Apr 27 10:45:19 EDT 2004

Hash: SHA1

>>>>> "Milani" == Milani Paolo <Paolo.Milani at ...865...> writes:
    Milani> take that much time.  This is a big issue for protocols that
    Milani> have fixed port numbers for both peers (such as bgp).  In

  No, BGP does not have fixed port numbers for both peers. Like all
protocols, one end picks a "random" port.

    Milani> fact some vendors are already releasing fixes, and if my
    Milani> understanding is correct these fixes break the current tcp
    Milani> standard by requiring more restrictive conditions for a rst
    Milani> packet to be valid: specifically, i think, that the seuqnce
    Milani> number be exactly the expected sequence number expected for
    Milani> the next packet, rather than just any "in window" sequence
    Milani> number.  The tcp standard itself will perhaps be modified in

  Yes, this is all bullshit.
  BGP doesn't really need to have RST at all. A simple ACL restricting 
TCP RSTs to port 179 would suffice.
  If you need RSTs, use TCPMD5 or IPsec.

    Milani> anti-idsers will have a new opportunity for evasion.  If
    Milani> some tcp/ip stacks accept all in window rst packets, while
    Milani> others apply more restrictive conditions, we have one of
    Milani> those ambiguity situations that allow evasion/insertion
    Milani> attacks against network ids.  When the stream reassembly
    Milani> preprocessor receives a packet that is in the window but is
    Milani> not valid by these more restrictive criteria, what should it
    Milani> do?  In the absence of further knowledge, probably NOT flush

  note it - if the connection later on dies then shout louder.

    Milani> the stream, because insertion is really much less of an
    Milani> issue than evasion. If it does flush, and the target host
    Milani> doesn't, an attacker could evade detection by tcp
    Milani> segmentation, while sending fake reset packets.  Once it is
    Milani> clear how this problem with tcp will be solved, we will
    Milani> probably need a small patch for stream4 to take care of
    Milani> this.

  The TCP spec will not, I hope, be changed.
  It isn't broken. 
  Checking the ACK sequence number in the RST will increase effort for
the attack from 2^18 to 2^36 or so. IPsec will get rid of it.

- --
]       ON HUMILITY: to err is human. To moo, bovine.                         [
]   Michael Richardson,            Seaway Networks Corporation                [
]   michael at ...2449...     http://www.seawaynetworks.com/             [
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

   This message and any attachments are intended only for the use of the       
   recipient(s) to which it is addressed, and may contain information that is  
   privileged, confidential and exempt from disclosure under applicable law.   
   Unless you are the addressee (or authorized to receive for the addressee),  
   you may not review, use, copy or disclose the message or any information    
   contained in the message. If you have received the message in error,        
   please advise the sender by reply e-mail and delete the message and any     
   attachments. Thank you.                                                     

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Snort-devel mailing list