Quick Blind TCP Connection Spoofing with SYN Cookies

A various of Linux distributions including Ubuntu and Debian is enabled TCP SYN Cookies defence mechanism against SYN-Flooding DoS Attacks by default.



However, this defence mechanism may led to an attack. Jakob Lell developed a PoC exploit and performed a test. He found out that there is about one successful spoof connection every 10 minutes on a 3 year old notebook (HP 6440b, i5-430M CPU and Marvell 88E8072 gigabit NIC) client and a desktop computer as the server. The test was running 10.5 hour overnight and successfully spoofed 64 connections.



He also stated that if the TCP SYN Cookies is not enabled, the attack may also be successful but it may need more time.



Consider what happen if an attacker spoofed a SSH connection without credentials.



Reference



[1] Full Disclosure

[2] Jakob Lell's Blog



That's all! See you.