TCP ICMP DoS flaw

| Comments (1) | TrackBacks (32) |
Well, it's happened again. Fernando Gont has discovered that there potential connection reset vulnerability in a number of TCP/IP stacks. (Advisory here). Unlike the last TCP DoS attack this attack uses ICMP messages rather than TCP RSTs.

The Internet Control Message Protocol (RFC 792) is used to send various kinds of control messages to IP-connected hosts. For instance, the ICMP Host Unreachable message, which tells the receiver that the sending router can't forward the packet to the destination. Another example is ICMP Datagram Too Big message which tells the sender that the packet is too big to forward and can't be fragmented (because the Don't Fragment bit is set). This message is used in Path Discovery (RFC1191).

When a TCP implementation receives an ICMP Host Unreachable that tells it it can't talk to the receiver and it needs to terminate the connection. In order to help the sender identify the correct connection and prevent attackers from forging Host Unreachable messages ICMP messages contain the first 64 bits of the offending datagram. Thus, in order to generate a valid message the attacker needs to be able to see the packets of the connection it wants to attack.

In theory this should stop attackers from resetting connections that they can't see. In practice, it turns out that a lot of TCP implementations (in particular Cisco, Juniper, and IBM) don't check the host and port in the ICMP messages but don't check the TCP sequence number. Often the host and port portions are predictable and so if you know about a connection you may be able to reset it. There are also a variety of other attacks involving other ICMP messages. The correct fix is described in draft-gont-tcpm-icmp-attacks-03.txt.

This isn't something to panic about. As with last year's TCP attacks, the scope of this attack is fairly limited. There aren't many TCP-based protocols that simultaneously are high value and rely on long-lived TCP connections. Web transactions, for instance, are basically unaffected. The main example is BGP. Unfortunately, the TCP MD5 fix from last year's attack doesn't seem to prevent this attack--however one of the workarounds--port randomization--does. So, in principle, it's possible to DoS substantial fractions of the Internet routing system. In practice, Cisco has already rolled out fixes and I imagine Juniper and IBM will if they haven't already.

32 TrackBacks

Listed below are links to blogs that reference this entry: TCP ICMP DoS flaw.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/217

TCP DoS using ICMP from TriNetre - The Third Eye on April 14, 2005 1:38 AM

Fernando Gont of NISCC has published a security advisory on the use of ICMP packets to perform DoS on TCP connections. The problem arises due to the incorrect handling of... Read More

free texas holdem card game from free texas holdem card game on June 22, 2005 4:43 AM

Take your time to take a look at the pages dedicated to free texas holdem free online poker games Read More

fast weight loss from fast weight loss on July 3, 2005 3:58 PM

Take your time to visit the pages about buy phentermine pharmacy hoodia Read More

xanax cheap overnight cod drug testing xanax info on xanax picture identification of xanax how to get fucked up on pink xanax no rx needed xanax xanax and drug urine tests urine test xanax xanax shipped fedex intravenously xanax xanax dosage compared t... Read More

mp3 music to download from Nathalie Gerhart on July 25, 2005 6:33 PM

TCP ICMP DoS flaw Read More

martinho da vila from Ioset Hundsdorfer on July 25, 2005 6:33 PM

TCP ICMP DoS flaw Read More

listen to musi from Bruno Bjornstad on July 25, 2005 6:34 PM

TCP ICMP DoS flaw Read More

listen to musi from Sarah Wideman on July 25, 2005 6:35 PM

TCP ICMP DoS flaw Read More

karen o adidas from adidas campus shoes on July 25, 2005 11:17 PM

adidas wrestling shoes in canada adidas and logo adidas xtra bases trainer adidas track jacket adidas superstar team zissou adidas shoes adidas clothes adidas country adidas f50+ logo adidas tracksuits adidas softball cleats adidas cologne Read More

TCP ICMP DoS flaw Read More

Online Poker from Online Poker on August 14, 2005 7:06 PM

I have found the best Online Poker site. Read More

fungal-drugs from Maria Norberg on August 24, 2005 8:56 AM

TCP ICMP DoS flaw Read More

antibiotic from Jeaneas Fluns on August 26, 2005 10:02 AM

TCP ICMP DoS flaw Read More

airports Read More

modernist literature responding to literature literature teacher femdom literature german literature writing a literature review guided reading and literature circles literature review kyoto protocol point of view in literature literature regionalism d... Read More

poker party player percentages from poker party player percentages on September 25, 2005 2:54 PM

You may find it interesting to take a look at some relevant pages dedicated to party poker secrets Read More

a2 literature schemes of work from role of early american literature on September 26, 2005 8:07 AM

literature in the 1920s colonial timeline of events and literature writing a literature review literature and medicine romantic erotic literature british literature persian literature mexican literature analyzing literature childrens literature value o... Read More

paris hilton from paris hilton on October 7, 2005 10:13 AM

paris hilton Read More

free online craps game from free online craps game on October 20, 2005 2:02 AM

You are invited to take a look at some relevant pages about hoyle casino online Read More

adipex keyword online from adipex keyword online on October 24, 2005 12:19 AM

Take your time to take a look at some relevant pages dedicated to canadian drug online store Read More

cool site from from Jhon Smit on November 17, 2005 8:38 PM

Hey guys! It's cool site! Read More

Baseball from from Jhony on November 21, 2005 7:53 PM

Hey guys! It's only for you :-) Read More

crazy from from Jhon Miller on November 29, 2005 8:33 PM

It's fantastic review Read More

crazy from from Jhon Miller on December 4, 2005 7:27 PM

It's fantastic review Read More

crazy from from Jhon Miller on December 5, 2005 7:25 PM

It's fantastic review hilton hotel Windsor Read More

Asian scat girls free pics from Housewife porn video clips on December 14, 2005 4:54 AM

Free nude asian thumbnails Animals with girls sex movies free Animal hardcore sex clips Free download moviesex cartoon Read More

Sexy movie of fucked iraqi from Incest relationship stories on December 31, 2005 9:51 PM

Uncle incest tgp Sex anatomy videos Brutally raped free free Old granny fuck videos... Read More

avian influenza from avian influenza on January 11, 2006 4:09 AM

avian influenza Read More

0 credit cards from 0 credit cards on January 19, 2006 5:03 PM

mountain enfranchise lemmas:brotherly?assures satchel prophets personal loans http://www.huge-credit.com/ Read More

1 Comments

"don't check the host and port in the ICMP messages but don't check the TCP sequence number"

What were you saying about leaving typos in? :-)

Leave a comment