Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] ICMP Attacks Against TCP

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] ICMP Attacks Against TCP
Date: 18 Aug 2005 16:57:22 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  ICMP Attacks Against TCP
------------------------------------------------------------------------


SUMMARY

It is possible to attack TCP connections by forging ICMP packets and 
sending them to the server. The whitepaper linked below discusses the 
problem and means to solve it, as well as attack tools to exploit the 
vulnerabilities.

DETAILS

Introduction:
Recently, awareness has been raised about several threats against the TCP 
protocol, which include blind connection-reset attacks. These attacks are 
based on sending forged TCP segments to any of the TCP endpoints, 
requiring the attacker to be able to guess the four-tuple that identifies 
the connection to be attacked.

While these attacks were known by the research community, they were 
considered to be unfeasible. However, increases in bandwidth availability, 
and the use of larger TCP windows have made these attacks feasible. 
Several general solutions have been proposed to either eliminate or 
minimize the impact of these attacks. For protecting BGP sessions, 
specifically, a counter-measure had already been documented in, which 
defines a new TCP option that allows a sending TCP to include a 
MD5signature in each transmitted segment.

All these counter-measures address attacks that require an attacker to 
send forged TCP segments to the attacked host.  However, there is still a 
possibility for performing a number of attacks against the TCP protocol, 
by means of ICMP. These attacks include, among others, blind 
connection-reset attacks.

This document aims to raise awareness of the use of ICMP to perform a 
number of attacks against TCP, and proposes several counter-measures that 
can eliminate or minimize the impact of these attacks.

Attack Tools:
A set of tools for this family of vulnerabilities was release, for more 
information see:  <http://www.securiteam.com/tools/5ZP0S1FGAA.html> ICMP 
Attack Tools

Additional Notes:
The attacks are blind, so the attacker does not need to be a "man in the 
middle" to perform then. The typical number of packets required to perform 
any of these attacks is about 16000 (in many cases, the attacker requires 
fewer packets). This means that even when a 128kbps link, it will take the 
attacker much less than a minute to perform them.

What are the affected applications?
Well, the first one that may come to your mind is BGP, but there are 
others. For example:
* Proxies (either transparent, or not)

Let's say we want to prevent users from accessing the web site 
192.168.0.1. If the web proxy address is 10.0.0.1, we can attack it and 
run any of the tools like: icmp-xxxx -c 10.0.0.1:1024-65535 -s 
192.168.0.1:80 -t server
With this attack, all the clients that are using the proxy 10.0.0.1 cannot 
access the webserver at 192.168.0.1

* Mail
Think about two major e-mail providers. Let's say one is 10.0.0.1, and the 
other one is 192.168.0.1. Let's DoS the mail transfers from 10.0.0.1 to 
192.168.0.1: icmp-xxxx -c 10.0.0.1:1024-65535 -s 192.168.0.1:25 -t client

Let's also DoS the mail transfers from 192.168.0.1 to 10.0.0.1: icmp-xxxx 
-c 192.168.0.1:1024-65535 -s 10.0.0.1:25 -t client

* NATs
NATs will usually make all the hosts in your network use one (or a few) IP 
address(es) for their TCP connections. By performing the attack against 
the IP address of the NAT box trying all the possible port number 
combinations, you would be attacking the TCP connections of all the 
clients behind the NAT.
And the list could continue....

Even only one attacker with broadband access can perform these attacks, as 
discussed above.
Not to mention what could happen if someone had the idea to include these 
attack tools in an Internet worm.

Wasn't this simple? Isn't this something that should be fixed?

Otherwise, read the draft at  
<http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html> 
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html , send it to 
your vendor, explain it to them, and ask them to fix their OS.

Common misconceptions:
* The TCP MD5 option does not protect you from these attacks
* IPSec does not protect you from these attacks
* You cannot filter all ICMP messages
* Relying on fragmenttion has many potential problems (read Mogul's 
"Fragmentation considered harmful" classic, or the recent Matthis' 
"Fragmentation considered very harmful")
* The minimum IPv4 MTU is 68. If you ignore ICMP messages that claim MTU's 
lower than X (where X>68), then there's a high chance your TCP connections 
may stall

The full whitepaper can be found at:  
<http://www.gont.com.ar/drafts/draft-gont-tcpm-icmp-attacks-03.txt> 
Internet-Draft - ICMP attacks against TCP(December 2004)


ADDITIONAL INFORMATION

The information has been provided by  <mailto:fernando@frh.utn.edu.ar> 
Fernando Gont.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] ICMP Attacks Against TCP, SecuriTeam <=
Previous by Date:  [NT] NetworkActiv Web Server Directory Traversal, SecuriTeam
Next by Date:  [UNIX] HP Ignite-UX Information Disclosure, SecuriTeam
Previous by Thread:  [NT] NetworkActiv Web Server Directory Traversal, SecuriTeam
Next by Thread:  [UNIX] HP Ignite-UX Information Disclosure, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]