[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP



Frickin k1dz1es

On Thu, Jan 19, 2012 at 01:22:35PM +1100, xD 0x41 wrote:
> On 18 January 2012 09:45, Jan Wrobel <wrr@xxxxxxxxxxxx> wrote:
> > Hi,
> >
> > This TCP session hijacking technique might be of interest to some of you.
> >
> > Abstract:
> > The paper demonstrates how traffic load of a shared packet queue can
> > be exploited as a side channel through which protected information
> > leaks to an off-path attacker. The attacker sends to a victim a
> > sequence of identical spoofed segments. The victim responds to each
> > segment in the sequence (the sequence is reflected by the victim) if
> > the segments satisfy a certain condition tested by the attacker. The
> > responses do not reach the attacker directly, but induce extra load on
> > a routing queue shared between the victim and the attacker. Increased
> > processing time of packets traversing the queue reveal that the tested
> > condition was true. The paper concentrates on the TCP, but the
> > approach is generic and can be effective against other protocols that
> > allow to construct requests which are conditionally answered by the
> > victim. A proof of concept was created to asses applicability of the
> > method in real-life scenarios.
> >
> > The paper in ps and pdf is available at http://mixedbit.org and
> > http://arxiv.org/abs/1201.2074
> >
> > Proof of concept: https://github.com/wrr/reflection_scan
> >
> > Thanks,
> > Jan
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> Very cool :)
> Thanks for showing this as a 'type' ofsequencing,id love to test this
> with winBITS and see what makes a difference in there...but yea, nice
> stuff from the snippets i have read and could comprehend without
> making a packetting app :P hehe..great work, and great paper for ANY
> hat to wear.
> Might have to try it oneday and see if it is as effective as it seems!
> great stuff tho, anything todo with bugs within TCP-IP stacks, should
> be al;ways encouraged... thanks for the encouragement :-)
> Cheers,and Ill maybe add more on this and another persons pi3.com.pl )
> tcp ip session hijacking, wich people have even said, is impossible...
> i guess they should find and watch that video, or just ask the author
> of the blog, to explain it more...nmaybe would have them something to
> actually see as a 'p0c'.... anyhow, many thanks in your input and,
> again any futher addons and appendices to the papers just, let the
> list know, and ill makesure the topic maybe gets a better coverage,
> as, this is also a topic many ppl called me a wanker on...or maybe one
> of them :s megh, i dont count now,. i just read the msgs from 3 ppl
> and delete the rest :)
> best way to use fd, is to  take what your iven, and stfu... i dont
> know why somany ppl seem to call me this, whebn, i am only interested,
> in bugs i can actually exploit...yet, somuch bullsh1t on this forum,
> they have forgotten what a bug is, and,. what a poc is./....and now,
> these are 'design flaws' lol....anyhow, pease keep up the ressearch,
> we like it! Oh thats, the ppl like, 3 of ypou (maybe) who actually,
> seem cool ;)
> You also do, and your on a great topic, dont let idiots pick out any
> flaws in anything on this subject, coz believe me, behind every
> trolling ive been thru, that was the worst when i spoke about, methods
> of hijacking tcp ip stack....and did not give out the poc...well, now,
> the poc is available to see on video for those who are not idiots and
> abuse, but actually, want to see it working :)
> Ok, thats my 2bob, dont expect any answers, unless your a VERY well
> known person, i will auto delete it, so, i hope to see you in my
> channel, anytime online... and there, we could discuss ANYTHING :)
> Why some of you are there, and see what i do, i guess are not the
> haters on this list but, also, they get what 'theyre given' ,wich is
> ALOTTTT in the cases where people are cool....so, i guess the moral of
> the story is, dont smash the stack toooo hard....
> enjoy budddy, im probably one of few who would even understand it but
> anyghow :P Thanks!I
> Drew.
> 
> PS:
> NOT a top poster anymore, omg, whats this, not using Glow XD , what is
> this, madness!! omg!
> Seriously folks, you should all read more of people like this's work,
> and then maybe, contribute some of your own frigging srcs, instead of
> relying on ppl like kcope to fist fuck you, wich is fine bvy me :> i
> hope he fucks this list over, nonstop till your arses bleed, but hey,
> thats JUST me! love you all long fucking time arseholes, goto hell,
> and dont even try taklkin to me, ever, if your not already in the addy
> book, you will fkn known about it and oh, i CAN ddos you, and i WILL,
> so, anytime you like to shit me, in private, and wish to test your
> fwall, go hard, i dun care, i should say, we...but,. it really doesnt
> matter, coz, i dont even have to press the buttons for the wankers who
> have al;ready flamed me in past anymore, you will only feel what i
> love best, TCP./IP and, possibly UDP!
> Have a fucking GREAT day arsefucker. Oh and, lickers are cool so, no
> offence there nor for them :)
> PEACE TO YOU MOFOS // XD #HAXNET FUCKUALL
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
;s =;

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/