1 2Errata 3------ 4 5Given our simple one-way proxy architecture, we cannot implement a few 6of the attacks listed in the original SNI paper, because we cannot 7intercept the victim's replies to the attacker. 8 9While we could implement the attacks for a single exploit (phf, for 10example), there isn't a good way to generalize this for any arbitrary 11attack stream. As it turns out, most of the attacks we omit are the 12"invalid" attacks, which are only useful in demonstrating false 13positives in the NIDS being tested anyhow. 14 15Here are the SNI attacks we leave out, and why: 16 17tcp-2: Complete a TCP handshake, send the test string in a stream of 18 1-byte TCP data segments where the sequence number wraps back 19 to zero. 20 21tcp-6: Complete a TCP handshake, send the test string in a series of 22 1-byte TCP data segments, and increase the sequence number by 23 1000 midway through the stream. 24 25If fragrouter were to rewrite the sequence numbers in the attack 26stream to the victim, the victim would ACK the bogus sequence numbers 27to the attacker. Since fragrouter isn't playing man-in-the-middle for 28both sides of the conversation, the attacker would be desynchronized 29very quickly, ending the attack prematurely. 30 31tcbc-1: Do not complete a TCP handshake, but send the test string in a 32 series of 1-byte TCP data segments as if a handshake had 33 occurred for some arbitrary sequence number. 34 35If fragrouter were to spoof a reply SYN/ACK to the attacker, so that 36the attacker would continue the attack for fragrouter to forward, the 37victim would issue a RST upon receipt of the spurious ACK packets 38containing the attack, ending it prematurely. 39 40tcbt-2: Complete a TCP handshake and send the test string in a series 41 of 1-byte TCP data segments. Midway through the stream, tear 42 the connection down with a RST (but continue to send the rest 43 of the data segments). 44 45Fragrouter's injection of a RST would cause the victim's TCP to close 46the connection, and return RSTs to the attacker upon receipt of any 47subsequent attack data segments, ending the attack prematurely. 48 49ins-1: Complete a TCP handshake and send the test string in a series 50 of 1-byte TCP data segments, each with a bad IP checksum. 51 52This is strictly an implementation bug - for most platforms (besides 53Solaris), our use of raw sockets is not at the datalink layer - we 54allow the kernel to compute the IP checksum for us. 55 56evade-1: Complete the TCP handshake, include the test string in the 57 initial SYN packet. 58 59Fragrouter cannot collect the entire attack from the attacker to 60repackage in a single SYN packet without a priori knowledge of the 61attack length, and the ability to spoof the server's correct responses 62(if necessary). 63 64 65-- 66$Id: TODO,v 1.4 1999/06/21 20:05:47 dugsong Exp $ 67