[Dshield] Vulnerability Issues in TCP

Rick Klinge rick at jaray.net
Thu Apr 22 22:05:42 GMT 2004


> George, Rick, other Peter,
> 
> Ok, maybe I need to clarify.  My confusion on this
> issue is not due to the fact that I don't understand
> TCP/IP (I do) nor that I haven't read any of the
> technical advisories (I have read all info concerning
> this).
> 
> My issue here is that specific products are vulnerable
> due to the way they were designed (e.g. WinNT's
> easy-to-guess ISNs).  Then it hits the popular press
> and a failure on the part of those vendors somehow
> becomes a deficiency in TCP...?
> 
> Yes, I know the advisory states that this is a
> "vulnerability in TCP."  Yeah, in the same way that
> people are vulnerable to bullets.  When I began
> learning about hacks one of the first things we
> learned was that the TCP session was vulnerable to
> this kind of thing...so why the alarm all of a sudden?
> 
> Maybe I'm just paranoid, I dunno, it just seems fishy,
> is all.
> 

Well IMHO, from what I understand - as an example: if a computer has a tcp
service/daemon running on 123.456.789.012 port 1234 then a psycho could push
tcp packets to that ip and port and 'possibly' cause an RST (reset) to be
issued.  Doing so, if there were other previous connections from other
computers, would cause the service/daemon to either reset the service/daemon
or cause a DoS.  One other slim chance is that if the psycho knew the
code/dll's of the service/daemon software they could possible (very slim)
inject them to cause further harm.  There are ways to help lessen the
chances of an attack but I'm hoping the psycho's will loose interest.
Disabling finger, echo, ICMP, etc.. Will help some - but that is only a temp
lame solution.

~Rick

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list