Re: Winsock Connections exploits

Brian Mancuso (brianm@cs.bu.edu)
Sun, 9 Aug 1998 21:51:01 -0400 (EDT)

• Next message: David Jablon: "Re: ATM card pins"
• Previous message: Dutra de Lacerda: "Re: Threat received re:membership in this list"

: ... I noticed that if a user sighns off their isp without exiting the
: program or disconnecting from telnet
: my program actually stays connected to their IP. I was just wondering
: if there my be any advantages to this or is it just a bug that needs
: fixed ?

This is not a bug, this is correct operation as per the TCP spec.
 
If you set the SO_KEEPALIVE socket option in your server process your
server will periodically poll the client (probably about every two
hours) to see if it's still maintaining the connection, and if it's
not, your server will close its end of it.

In regard to an unauthorized user co-opting your connection, TCP's use
of arbitrary initial sequence numbers provides some measure of
protection against that. It is possible, but very difficult, to guess
the next sequence number of a packet of your TCP session, sending a
substitute packet in your place, thereby taking your connection over.

The vulnerability of TCP to this attack could be decreased
substantially if it simply had some secret-sharing protocol/parameter
in its connection-establishment phase, and labeled each packet with
the value of a pseudo-random number generating function of the
mutually shared secret in its communication phase. The same function
would then be used at the receiving host to verify its
authenticity. This scheme would be vulnerable to man-in-the-middle,
but it precludes anything but exhaustive search in attempting to
co-opt a connection. Alternatively, the pseudo-random value could
take the place of the sequence number itself and in fact become a
function of it; then the receiving host would simply invert the
function with the aid of the mutual secret to simlutainously verify
the packet's authenticity and further use the sequence number
in the TCP protocol.

But it should be fairly easy for you to integrate this functionality
into your own TCP/IP-based c/s application.

Brian Mancuso
brianm@cs.bu.edu

• Next message: David Jablon: "Re: ATM card pins"
• Previous message: Dutra de Lacerda: "Re: Threat received re:membership in this list"