Vigil@nce - TCP: Blind Spoofing facilitated by SYN Cookies
August 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When SYN Cookies are enabled, an attacker can optimize a brute
force spoofed TCP session, which is 32 times faster.
Impacted products: TCP
Severity: 1/4
Creation date: 13/08/2013
DESCRIPTION OF THE VULNERABILITY
A blind TCP attack guesses the initial sequence number (ISN) of a
TCP server, in order to establish a session. There are 2^32
possible values.
The SYN Cookie feature protects the system against Synflood. In
order to do so, the TCP server does not memorize client’s data,
but encodes them in the ISN it sends. The client then returns this
(incremented) ISN, and the server validates it.
The server accept 4 values for the counter (incremented once a
minute) and 8 values for the MSS (Maximum Segment Size). There are
therefore 32 (4*8) valid ISN that the server is ready to accept. A
blind attack thus requires 2^27 trials instead of 2^32 trials.
When SYN Cookies are enabled, an attacker can therefore optimize a
brute force spoofed TCP session, which is 32 times faster.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/TCP-Blind-Spoofing-facilitated-by-SYN-Cookies-13271