Hello, welcome to the Friday, August 12th, 2016 edition of the Sansenet Storms and Stormcast.

My name is Johannes Ulrich and today I'm recording from Stockholm, Germany.

Let's start out with an interesting research paper that actually came out a couple weeks ago.

I didn't cover it back then because I really wanted to have a closer look at this

first. Well, this research paper does outline a pretty interesting and new technique to

blindly spoof TCP connections. This is of course pretty exciting and interesting because

it's commonly believed that in modern operating systems,

TCP connections can't be spoofed blindly, meaning that without being able to observe the connection and being able to observe correct sequence numbers,

you cannot simply inject data into a TCP connection.

The sad part about this particular vulnerability is that it's actually not so much an implementation

issue, but really a change to the TCP standard that has been made.

And it is actually a security feature that was added to TCP that's sort of backfiring it.

It was outlined in RFC 5961.

On the good side, it's really only Linux and reasonably recent versions, meaning kernel versions

3.6 and later that implement this feature. But well,

recent meaning 2012 and later. So let's talk a little bit about what's going on here

as much as I can within the confines of this podcast. Please refer to the actual paper and I link to it in the show notes to learn

more about this vulnerability.

Whenever I acknowledge data over TCP, I'll send you an acknowledgement number and ideally

the next segment that I'll receive from you will use a sequence number that

matches the acknowledgement number I just sent you.

But well, that's not always the case.

...