Re: tcp vulnerability? haven't seen anything on it here...

From: jamal
Date: Thu Apr 22 2004 - 09:28:18 EST

Next message: Timothy Miller: "Re: vger.kernel.org is listed by spamcop"
Previous message: Willy Tarreau: "Re: tcp vulnerability? haven't seen anything on it here..."
In reply to: Giuliano Pochini: "Re: tcp vulnerability? haven't seen anything on it here..."
Next in thread: alex: "Re: tcp vulnerability? haven't seen anything on it here..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2004-04-22 at 09:46, Giuliano Pochini wrote:
> On Thu, 22 Apr 2004, jamal wrote:
>
> > On Thu, 2004-04-22 at 04:23, Giuliano Pochini wrote:
> >
> > > Yes, but it is possible, expecially for long sessions.
> >
> > In other words, 80% or more of internet traffic would not be affected
> > still using http1.0 would not be affected.
> > And for something like a huge download to just regular joe, this is more
> > of a nuisance assuming some kiddie has access between you and the
> > server.
>
> No, TCP/IP is 100% vulnerable to the man-in-the-middle attach.
> There is no cure for that.

Unless its a private network with locked vaults for the pipes, any
network is vulnerable.
I am not trying to downplay the relevance of this; all i am saying
is it may a little overhyped with the media being involved. Its
infact harder to create this attack compared to a simple SYN attack.

On Thu, 2004-04-22 at 09:58, Florian Weimer wrote:
jamal <hadi@xxxxxxxxxx> writes:
>
> > OTOH, long lived BGP sessions are affected assuming you are going across
> > hostile path to your peer.
>
> Hostile path is not required. Not at all. 8-(
>
>

Unless i misunderstood:
You need someone/thing to see about 64K packets within a single flow
to make the predicition so the attack is succesful. Sure to have access to
such capability is to be in a hostile path, no? ;->

> And it's not BGP specific. You might be able to use this attack to
> split IRC networks, too. However, it's a bit harder in this case
> because IRC servers usually use more random source ports.

Any long lived flow with close to fixed ports. FTP from kernel.org could
be vulnerable - get a better client and its just becomes a nuisance.
80% of the internet traffic is still TCP/HTTP1.0 which is very
short lived (there could be changes lately - these are numbers from
a while back) i.e you wont see more than 8 packets i.e it is highly unlikely
your traffic there is affected even if you used fixed ports.

cheers,
jamal

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Timothy Miller: "Re: vger.kernel.org is listed by spamcop"
Previous message: Willy Tarreau: "Re: tcp vulnerability? haven't seen anything on it here..."
In reply to: Giuliano Pochini: "Re: tcp vulnerability? haven't seen anything on it here..."
Next in thread: alex: "Re: tcp vulnerability? haven't seen anything on it here..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]