Slashdot Mirror

← Back to Stories (view on slashdot.org)

Understanding TCP Reset Attacks, Part I

Posted by timothy on from the infenestration dept.

Jeremy Andrews writes "A vulnerability in TCP, the transmission control protocol, recently received some exposure in the media. Paul Watson released a white paper titled Slipping In The window: TCP Reset Attacks at the 2004 CanSecWest conference, providing a much better understanding of the real-world risks of TCP reset attacks. The resulting articles in the major media painted a doom and gloom picture of the threat. To better understand the reality of this threat and how it affects all operating systems, KernelTrap spoke with Theo de Raadt, the creator of OpenBSD, an operating system which among other goals proactively focuses on security. In this article, we aim to provide some background into the workings of TCP, and then to build upon this foundation to understand how resets attacks work. This is the first article in a two part series. The second article will look into how TCP stacks can be hardened to defend against such attacks. Toward this goal, we spoke with members of the OpenBSD team to learn what they have done so far, and what further plans they have to minimize the impact of reset attacks."

10 comments

  1. IPX/SPX by Anonymous Coward · · Score: 0

    Its truly a pity noone uses NCP anymore. Hell even IPX/SPX was superior to TCP. But of course my favorite is broadcasting encrypted packets via UDP. Don't have to worry about resets there!

    No seriously, TCP is showing its age (not the rfc, just the implementations). Hopefully this will spurn people onto adopting IPv6.

    1. Re:IPX/SPX by trompete · · Score: 4, Informative

      Um.....does IPv6 matter in this equation? TCP will just sit on top of IPv6 anyway.

      IP4
      TCP->IP->Ethernet->Wire->Ethernet->IP->TC P

      IP6
      TCP->IPv6->Ethernet->Wire->Ethernet->IPv6-> T CP

      Hmmmm....

      --
      More than enough BS
    2. Re:IPX/SPX by Tor · · Score: 4, Interesting
      Um.....does IPv6 matter in this equation? TCP will just sit on top of IPv6 anyway.


      IPv6 provides other means to prevent IP spoofing (a prerequisite for TCP reset attacks).
    3. Re:IPX/SPX by Carnildo · · Score: 4, Interesting

      Um.....does IPv6 matter in this equation? TCP will just sit on top of IPv6 anyway.

      Doesn't matter at all. For a reset attack, you need to match source IP address (known), destination IP address (known), source port (unknown, but guessable), destination port (known), and TCP sequence number (unknown, but guessable). All the unknowns are in the TCP layer.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  2. Solutions. by Johan+Buret · · Score: 1

    All this trouble stems from two orthogonal problems.

    • The window width, useful to accept datas
    • The possibility to spoof source IP address and send RST packet.

    One possibility would be to accept the RST packet with the very right sequence number (beginning of window) and thus making its probability fall back to 2^32 to 1. I guess it would need some serious reimplementation of TCP stack on all systems.

    Another possibilty would be for ISPs to drop packet with inappropriate source address, to prevent spoofing. It might work if all ISP do this job and no rogue party has a direct internet connection.

    All of the above would be steps in the right direction

    --
    My center is giving way, my right is in retreat; situation excellent. I shall attack.
    1. Re:Solutions. by vijaya_chandra · · Score: 1

      "inappropriate source address"
      ?!!?!?

    2. Re:Solutions. by Johan+Buret · · Score: 1

      Well, it deserves an explication.

      Let's imagine an ISP providing the range 80.214.0.0

      It has some routers providng connection to the rest of Internet. The filtering should take place on these routers for packets going from subnetwork to internet.
      If this packet has source 80.214.1.56, it's probably a legit packet and the router must transfer it.
      If this packet has source 12.34.56.78 -inappropriate- it's a bad packet and must drop it.

      OSrry I didn't make it clear on first time

      --
      My center is giving way, my right is in retreat; situation excellent. I shall attack.
  3. In window by Carewolf · · Score: 2, Interesting

    It seems the attacks rely on being able to guess the right window, but say the connection is currently actively transmitting and receiving, then part of the window will always be full, and thus while the attack might hit the window, it will not work as expected since the receiver already have a packet at that sport.

    It mostly seem to be a problem for silly application protocols that expects to keep idle TCP-connections up all the time.

  4. ipSec by Smallpond · · Score: 2, Interesting

    Long-term TCP connections on the public internet that have a high cost to re-establish can use ipSec to avoid this problem.

    Random source port allocation from a large pool, combined with smaller window sizes should be sufficient for the rest. Why do you need more than a 1K window width? Because packet sizes are too small. TCP is from '91, so 1K packets were considered "big", transmission speeds were slow, and the network was presumed to be fairly unreliable. Now with higher speed and huge memory, a packet size of 64K would reduce overhead as well as the need for large packet windows.

    1. Re:ipSec by Anonymous Coward · · Score: 0

      TCP communicates with a byte stream. The window is specified in bytes, and ack sequence numbers specify a received byte position. It has no concept of packet length, unless you want to consider individual bytes to be 1-byte packets with individual sequence numbers.

      IP worries about fragmentation for the underlying medium, not TCP.

      TCP is from far earlier than "'91". RFC 675 is from 1974. Vinton Cerf would have been coding to hits from Barbara Streisand (The Way We Were), Elton John (Bennie and the Jets), Terry Jacks (Seasons in the Sun), Blue Swede (Hooked on a Feeling), and Mac Davis (One Hell of a Woman). Assuming, of course, he wasn't drowning his sorrows due to losses in the 73-74 bear market, waiting in line at the gas pump due to the Arab oil embargo, or remaining glued to the television at the unprecedented resignation of President Nixon after the Watergate scandal.

      Changing the packet size does not change the need for a large TCP window, as the number of payload bytes involved is still the same. Networks with larger bandwidth-delay products need larger windows. Eliminating packet overhead increases your effective bandwidth, and thus you would need to increase your window size, not decrease it. Of course, in most real networks the frame overhead is minimal anyway, so the change would be minor.