[openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 27 00:27:04 UTC 2016
On Tue 2016-01-26 16:37:58 -0500, Salz, Rich wrote:
> TFO is interesting because it lets UDP-style attacks happen at the TCP
> level. Normally you can't do a TCP attack unless you have a valid
> client IP address.
>
> Imagine connecting once and then sending the syncookie to the botnet.
This suggests that you have on-path capabilities between each of the
reflectors and the victim, right?
If you have on-path capabilities, couldn't you do a similar attack
against a live TCP session? learn (or create) the sequence number of a
TCP session between each of the reflectors and the target, and
distribute them to the botnet? Then each member of the botnet sends out
a TCP packet (sequence numbers augmented in some coordinated fashion) to
the reflector that triggers an ACK (and even worse, a data flow) from
the reflector to the victim.
I've never done this, so maybe i've missed some mitigating detail, but
it seems like the same risk with or without TFO.
--dkg
More information about the openssl-dev
mailing list