Friday, October 10, 2008

TCP SYN Cookie Juji-gatame

once upon a time,when the TCP/IP invented in 1979,no one thought that it's goping to knocked out late in 2008.
If you are interested in computer security so you should heard about this big threat.
though complete technical information does not disclosured but this can not be a hoax.because the men whom discovered this issue are not stupid ones.probably you have an experience with Unicornscan that is one of this netherlandish company which it's name is Outpost24.It seems that they have found this vulnerability in their deep digging in TCP/IP to accomplish developing the unicornscan. They dig the TCP protocol stacks and found out that something is wrong with SYN Cookies.
well now if your system is available,you are on risk,so you should cut off an angle of security triangle(availability). This mean that your system security is absurd.
each system have a limited connection slot,when all of them are in use the system goes out of service.the goal of DoS(Denial of Service) is to reach this.they wanna keep you busy in order to no one can get service from you.
Outpost24 guys discovered this issue in 2005 and now they have written a TCP socket stress testing framework that named Sockstress.
They just noticed that there is such kind of vulnerability in TCP and the is such a tools to defeat all kind of devices that use TCP,and there is no technical disclosure about this issue.they haven't speak straightforward about this problem yet,and they said we are cooperating with vendors to solve this issue.
On the other side Fyodor, nmap programmer has disavow this and answered that this is not a new kind of vulnerability.He believes that they have rediscovered what he found in past years and performed in his private tools(Ndos).
I have no idea about it's a kind of dislike that Fyodor feels about Outpost24 and their Unicornscan or not,but as i said these guys news can't be a hoax.
they have offered some ways to defeat SYN Cookies and i mention them here as they told:

- To defeat Server side SYN Cookies...
- Employ Client side SYN Cookies
- Start with a random 32-bit number
- XOR this number against Client side of a
connection attempt (192.168.1.3:51242)
- Use output as ISN for SYN packets
- When Client receives SYN/ACK’s
- (Sequence Number - 1) XOR’d with 32-bit number reveals the client sending IP and port
- Client can now complete a full 3 way handshake without ever tracking anything in a table.
- Client can also transmit data on this connection
- No need on Client side to even keep a hash table. XOR is reversible.


that was all.

1 comment:

Hervé said...

It really seems these Client cookies are worthless: when you receive the SYN/ACK, you can just use the IP header to get the address and the port of the Client. So this does not give more advantage than the techniques already known today for establishing a connection from the client side without having to open an entry in the TCP table for the original SYN.

Moreover, if somebody implements this plain type of Client cookie without secret, it will be easy to have them and a server open a connection that you initiated by spoofing the client address with a SYN. So let's hope client cookies are not implemented (yet)!