Slipping in the Window TCP Reset Attacks.ppt

Slipping in the Window: TCP Reset Attacks Paul (Tony) Watson CISSP, CISM, CCSP, CCSE, MCSE+Security, etc, etc… paw@ Agenda Background “Separating Fact from Fud” Facts Fundamentals RFC-793, Window size defaults, ISN Prediction Targets Practical Attack Requirements Estimates Live Testing Results Protecting From Attack / Solutions Fixes The Disclosure Process Thanks and Credits Background Sequence number research Blind spoofing, packet injection, session hijacking Growth in available bandwidth Growth of business dependence on Internet VPN’s, Mail, Web, Database, B2B, etc. DDoS attacks (what a waste of resources) Mass-rooting, drone deployments, poor ATO* (on/off) Homeland Security / Critical Infrastructure Threats of Information Warfare TCP Reset Attack Time Requirements ? A theoretical blind attack @ 1 million pps ~ 30 minutes to just get the seq. number (assuming a correct guess after iterating through 50% of the space). (232/2)/1,000,000 = # of seconds ??Our tool was able to generate 62,500pps* ~ 9 hours ??Since the attacker won’t know which side is 179 vs. a high port multiply these numbers by 2. ??With source port randomization, this goes to 4 years in the first example (1 mil. pps to guess 1 48 bit number and 142 years assuming 62,500pps and needing to guess both sides): ((248/2)/62,500)x2 = # of seconds *What sort of event is 62.5kpps on your router? Facts: TCP Features Options Sequencing of TCP packets Sequence and acknowledgement numbers 32 bit field (over 4 billion possibilities) Ensures ordering of received packets Window size 16 bit field (over 65,000 possibilities) Sender and receiver have independent window sizes Facts: RFC-793 ( TCP ) Facts: RFC-793 Requirements Facts: RFC-793 Options But it gets even worse…… Facts: TCP Features Options Window Scaling: RFC-1323 Primarily used for Long Fat Networks (LFN) Windows up to 30 bits (scale factor of 14) 1 gigabyte windows!!! Dramatically simplifies TCP Reset attacks Only 4 packets required