ICMP and TCP timestamp attacks to reset TCP connections updated since 13.04.2005
Published:		05.09.2005
Source:		FGONT
SecurityVulns ID:		4689
Type:		remote
Level:		6/10
Description:		By using different ICMP packet types and TCP timestamps values it's possible to cause TCP connection resets or performance decrease.

Affected:		MICROSOFT : Windows 2000 Server
		MICROSOFT : Windows 2000 Professional
		HP : HP-UX 11.00
		CISCO : IOS 11.2
		ORACLE : Solaris 8
		WATCHGUARD : Firebox II
		SUN : Solaris 7
		CISCO : IOS 11.1
		CISCO : IOS 12.1
		CISCO : IOS 11.0
		CISCO : IOS 11.3
		SCO : UnixWare 7.1
		CISCO : IOS 12.2
		HP : HP-UX 11.11
		MICROSOFT : Windows XP
		HP : HP-UX 11.04
		ORACLE : Solaris 9
		WATCHGUARD : Firebox III
		HP : HP-UX 11.22
		MICROSOFT : Windows 2003 Server
		CISCO : Cisco CSS 11000
		CISCO : Aironet 1200
		CISCO : IOS 12.3
		ORACLE : Solaris 10
		HP : HP-UX 11.23
		OPENBSD : OpenBSD 3.5
		FREEBSD : FreeBSD 4.10
		IBM : AIX 5.3
		FREEBSD : FreeBSD 5.3
		OPENBSD : OpenBSD 3.6
		JUNIPER : JunOS 6.3
		FREEBSD : FreeBSD 5.4
		FREEBSD : FreeBSD 4.11
		NETWORKAPPLIANCE : ONTAP 6.5
		WATCHGUARD : Firebox 1000
		WATCHGUARD : Firebox 2500
		WATCHGUARD : Firebox 4500
		WATCHGUARD : Firebox 700
		WATCHGUARD : Firebox SOHO
		WATCHGUARD : Firebox 10
		WATCHGUARD : Firebox 100
		WATCHGUARD : Firebox 60
		WATCHGUARD : Firebox 80
		F5 : BIG-IP 4.5
		F5 : BIG-IP 4.6
		OPENBSD : OpenBSD 3.7
		CISCO : Cisco SN5400
		CISCO : Cisco MGX 8900
		CISCO : Cisco MGX 8800
		CISCO : Cisco MGX 8200
		CISCO : Aironet 350
		ALAXALA : AX7800S
		ALAXALA : AX7800R
		ALAXALA : AX5400S
		HITACHI : Hitachi GR2000
		HITACHI : Hitachi GR4000
		HITACHI : Hitachi GS3000
		HITACHI : Hitachi GS4000
		F5 : BIG-IP 9.1
		BLUECOAT : CacheOS 3.0
		BLUECOAT : CacheOS 4.0
		BLUECOAT : Blue Coat Security Gateway 3.2
		BLUECOAT : Blue Coat Security Gateway 4.1
		AVAYA : Avaya Intuity LX
		AVAYA : Avaya G700
		AVAYA : Avaya G350
		AVAYA : Avaya G250
		AVAYA : Avaya IP Phones 2.0
		AVAYA : Avaya MN100
		AVAYA : Avaya Modular Messaging 2.0
		NORTEL : Nortel Services Edge Router 5500
		NORTEL : Nortel Passport 1150
		NORTEL : Nortel Multiservice Switch 7400
		NORTEL : Nortel Multiservice Switch 6400
		NORTEL : Nortel Multiservice Switch 20000
		NORTEL : Nortel Multiservice Switch 15000
		NORTEL : Nortel Multiservice Access Switch 4400
		NORTEL : Nortel Multiprotocol Router 5430
		NORTEL : Nortel Multiprotocol Router 2430
		NORTEL : Nortel Ethernet Switch 470
		NORTEL : Nortel Ethernet Switch 425
		NORTEL : Nortel Ethernet Switch 420-24T
		NORTEL : Nortel Ethernet Routing Switch 8600
		NORTEL : Nortel Ethernet Routing Switch 5520
		NORTEL : Nortel Ethernet Routing Switch 5510
		NORTEL : Nortel Backbone Link Node
		NORTEL : Nortel Backbone Concentrator Node
		NORTEL : Nortel Application Switch
		NORTEL : Nortel Advanced Remote Node
		NORTEL : Nortel Access Stack Node
		NORTEL : Nortel VPN Router
		HP : Tru64 UNIX 5.1
		HP : Tru64 UNIX 4.0
		AVAYA : Avaya Predictive Dialing System
		BLUECOAT : CacheOS 4.1
		BLUECOAT : SGOS 3.2
		BLUECOAT : SGOS 4.1
CVE:		CVE-2005-1192 (Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.)

Original document		SECUNIA, UnixWare ICMP Message Handling Denial of Service (05.09.2005)
		Fernando Gont , [Full-disclosure] ICMP attacks against TCP: Conclusions (23.07.2005)
		Fernando Gont , ICMP-based blind connection-reset attack (23.07.2005)
		Fernando Gont , [Full-disclosure] ICMP-based blind performance-degrading attack (20.07.2005)
		Fernando Gont , [Full-disclosure] Trivial BGP attacks (ICMP-based blind throughput-reduction attack) (20.07.2005)
		SECUNIA, [SA16126] Blue Coat Products ICMP Message Handling Denial of Service (20.07.2005)
		SECUNIA, [SA16106] Avaya Predictive Dialing System TCP/IP Denial of Service (19.07.2005)
		HP, HPSBTU01210 SSRT4743, SSRT4884 rev.0 - HP Tru64 UNIX TCP/IP remote Denial of Service (DoS) (19.07.2005)
		SECUNIA, [SA15761] Nortel Networks Products ICMP Handling Vulnerabilities (16.07.2005)
		Vic Vandal, [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough) (13.07.2005)
		KERNELTRAP, Feature: OpenBSD Hackathon 2005, Part III (07.07.2005)
		Theo de Raadt, ICMP vulnerabilities (07.07.2005)
		SECUNIA, [SA15876] Avaya Products TCP Timestamp Denial of Service (01.07.2005)
		FREEBSD, FreeBSD Security Advisory FreeBSD-SA-05:15.tcp (30.06.2005)
		SECUNIA, [SA15851] Blue Coat Products TCP Timestamp Denial of Service (29.06.2005)
		SECUNIA, [SA15531] BIG-IP TCP Timestamp Denial of Service (27.05.2005)
		SECUNIA, [SA15409] Hitachi Various Products TCP Timestamp Denial of Service (20.05.2005)
		SECUNIA, [SA15434] ALAXALA Networks Products TCP Connection Denial of Service (20.05.2005)
		SECUNIA, [SA15393] Cisco Various Products TCP Timestamp Denial of Service (19.05.2005)
		SECUNIA, [SA15417] OpenBSD TCP Timestamp Denial of Service (19.05.2005)
		HP, [security bulletin] SSRT5954 rev.0 HP-UX TCP/IP Remote Denial of Service (DoS) (26.04.2005)
		CISCO, [Full-disclosure] Cisco Security Advisory: Crafted ICMP Messages Can Cause Denial of Service (13.04.2005)
		FGONT, ICMP attacks against TCP (13.04.2005)
		MICROSOFT, Microsoft Security Bulletin MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) (13.04.2005)

Files:		Proof of Concept for exploiting the TCP Keep Alive implementation
		ICMP attacks against TCP (Proof-of-Concept code) (MS05-019, CISCO:20050412)
		TCP Conneciton Denial of Service Tool (panic.pl)
		icmp-reset - Blindliy resetting arbitrary TCP connections
		icmp-quench - Blindliy reducing the throughput of an arbitrary TCP connections
		icmp-mtu - Blindliy reducing the perormance of an arbitrary TCP connections
		TCP does not adequately validate segments before updating timestamp value DoS PoC
		Microsoft Security Bulletin MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)
Discuss:		Read or add your comments to this news (0 comments)