Hacker News new | past | comments | ask | show | jobs | submit login

The sequence number prediction specifics are different, but the attack is the same, blind TCP spoofing.



I think it depends on how you read the article. The most charitable reading is that the authors couldn't find a source for probing the whole ISN space, and believe that variant of the attack is novel. I think you have to be a bit uncharitable to assume they're claiming the whole concept of blind TCP spoofing.


I would cut them a lot more slack if they mentioned that their method doesn't work in the vast majority of networks today (assuming one wants to cross networks with it), due to egress filtering. If one is already present locally, and can send spoofed packets, there are far better attacks to try than sending tens to hundreds of gigabytes of data for a single spoofed connection (that will be immediately terminated).

Their method doesn't even attempt to keep the connection going.

Anyone with network experience would see the bruteforcing method as elementary and common knowledge really, it's nothing new.

In short, amateur hour.


Since TCP spoofing is essentially an academic concept at this point --- even if you could do it in milliseconds, it wouldn't be very useful --- I'm not sure the practical baggage or refinements you're talking about are that important.

Also, I think RPF filtering is a little less common than you're implying that it is.


Why not useful? In my experience setups involving IP ACLs for TCP services are pretty common in the wild. As well as risk-assesments talking about the relative rarity of on-path attackers, predicated on TCP security against off-path attackers.


Risk assessments making bad assumptions is not a new thing.

People are always advocating egress filtering because "if only everybody would do it ...", but it's a classic tragedy of the commons. Egress filtering doesn't meaningfully help the network doing it and it may cause ugly problems with asymmetric routes and the like, so the number of networks that don't do it is large enough to be meaningful. And if you get close enough to the core of the internet it's basically impossible anyway because there is no practical way to keep track of which address ranges a particular interface should legitimately be sending traffic from when the list encompasses half the address ranges on the internet and can change at any time.

The upshot being it's not at all difficult for an attacker to get hold of a connection that doesn't do egress filtering, and that isn't ever going to change.


It's different: The old was attacking weak randomness, this is showing easy brute forcing.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: