From: tsutomu@ariel.sdsc.edu (Tsutomu Shimomura)<br>Subject: Technical details of the attack described by Markoff in NYT<br>Newsgroups: comp.security.misc,comp.protocols.tcp-ip,alt.security<br>Message-ID:<br>Date: 25 Jan 1995 04:36:37 -0800<br>Organization: San Diego Supercomputer Center

Greetings from Lake Tahoe.

There seems to be a lot of confusion about the IP address spoofing and<br>connection hijacking attacks described by John Markoff's 1/23/95 NYT article,<br>and CERT advisory CA-95:01.

Here are some technical details from my presentation on 1/11/95 at CMAD 3<br>in Sonoma, California. Hopefully this will help clear up any misunderstandings<br>as to the nature of these attacks.

Two different attack mechanisms were used. IP source address spoofing<br>and TCP sequence number prediction were used to gain initial access to a<br>diskless workstation being used mostly as an X terminal. After root access<br>had been obtained, an existing connection to another system was hijacked by<br>means of a loadable kernel STREAMS module.

Included in this note are excerpts from actual tcpdump packet logs generated<br>by this attack. In the interest of clarity (and brevity!), some of the data<br>has been omitted.

I highly recommend Steve Bellovin's paper and posts on IP spoofing, as he<br>describes in more detail the semantics of the TCP handshake, as well as making<br>some suggestions on how to defeat this attack.

My configuration is as follows:<br>server = a SPARCstation running Solaris 1 serving my "X terminal"<br>x-terminal = a diskless SPARCstation running Solaris 1<br>target = the apparent primary target of the attack

The IP spoofing attack started at about 14:09:32 PST on 12/25/94. The first<br>probes were from toad.com (this info derived from packet logs):

14:09:32 toad.com# finger -l @target<br>14:10:21 toad.com# finger -l @server<br>14:10:50 toad.com# finger -l root@server<br>14:11:07 toad.com# finger -l @x-terminal<br>14:11:38 toad.com# showmount -e x-terminal<br>14:11:49 toad.com# rpcinfo -p x-terminal<br>14:12:05 toad.com# finger -l root@x-terminal

The apparent purpose of these probes was to determine if there might be<br>some kind of trust relationship amongst these systems which could be exploited<br>with an IP spoofing attack. The source port numbers for the showmount and<br>rpcinfo indicate that the attacker is root on toad.com.

About six minutes later, we see a flurry of TCP SYNs (initial connection<br>requests) from 130.92.6.97 to port 513 (login) on server. The purpose of<br>these SYNs is to fill the connection queue for port 513 on server with<br>"half-open" connections so it will not respond to any new connection<br>requests. In particular, it will not generate TCP RSTs in response to<br>unexpected SYN-ACKs.

As port 513 is also a "privileged" port ( server.login: S 1382726960:1382726960(0) win 4096<br>14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096<br>14:18:22.744477 130.92.6.97.602 > server.login: S 1382726962:1382726962(0) win 4096<br>14:18:22.830111 130.92.6.97.603 > server.login: S 1382726963:1382726963(0) win 4096<br>14:18:22.886128 130.92.6.97.604 > server.login: S 1382726964:1382726964(0) win 4096<br>14:18:22.943514 130.92.6.97.605 > server.login: S 1382726965:1382726965(0) win 4096<br>14:18:23.002715 130.92.6.97.606 > server.login: S 1382726966:1382726966(0) win 4096<br>14:18:23.103275 130.92.6.97.607 > server.login: S 1382726967:1382726967(0) win 4096<br>14:18:23.162781 130.92.6.97.608 > server.login: S 1382726968:1382726968(0) win 4096<br>14:18:23.225384 130.92.6.97.609 > server.login: S 1382726969:1382726969(0) win 4096<br>14:18:23.282625 130.92.6.97.610 > server.login: S 1382726970:1382726970(0) win 4096<br>14:18:23.342657 130.92.6.97.611 > server.login: S 1382726971:1382726971(0) win 4096<br>14:18:23.403083 130.92.6.97.612 > server.login: S 1382726972:1382726972(0) win 4096<br>14:18:23.903700 130.92.6.97.613 > server.login: S 1382726973:1382726973(0) win 4096<br>14:18:24.003252 130.92.6.97.614 > server.login: S 1382726974:1382726974(0) win 4096<br>14:18:24.084827 130.92.6.97.615 > server.login: S 1382726975:1382726975(0) win 4096<br>14:18:24.142774 130.92.6.97.616 > server.login: S 1382726976:1382726976(0) win 4096<br>14:18:24.203195 130.92.6.97.617 > server.login: S 1382726977:1382726977(0) win 4096<br>14:18:24.294773 130.92.6.97.618 > server.login: S 1382726978:1382726978(0) win 4096<br>14:18:24.382841 130.92.6.97.619 > server.login: S 1382726979:1382726979(0) win 4096<br>14:18:24.443309 130.92.6.97.620 > server.login: S 1382726980:1382726980(0) win 4096<br>14:18:24.643249 130.92.6.97.621 > server.login: S 1382726981:1382726981(0) win 4096<br>14:18:24.906546 130.92.6.97.622 > server.login: S 1382726982:1382726982(0) win 4096<br>14:18:24.963768 130.92.6.97.623 > server.login: S 1382726983:1382726983(0) win 4096<br>14:18:25.022853 130.92.6.97.624 > server.login: S 1382726984:1382726984(0) win 4096<br>14:18:25.153536 130.92.6.97.625 > server.login: S 1382726985:1382726985(0) win 4096<br>14:18:25.400869 130.92.6.97.626 > server.login: S 1382726986:1382726986(0) win 4096<br>14:18:25.483127 130.92.6.97.627 > server.login: S...