Re: Yahoo Messenger Stale Sessions

From: BANIER Jeremie (jeremie.banierat_private)
Date: Thu Nov 14 2002 - 05:49:51 PST

Next message: Palmer, Justin: "RE: Unicode Attack"

Previous message: John Fitzgerald: "RE: Yahoo Messenger Stale Sessions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
I believe switching on keep-alive would perhaps sove that one ...

<knip>
Windows 2000 TCP keep-alive behavior can be modified by changing the values of the KeepAliveTime and KeepAliveInterval registry
entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters). TCP keep-alives can be sent once for every interval specified by
the value of KeepAliveTime (defaults to 7,200,000 milliseconds, or two hours) if no other data or higher level keep-alives have
been
carried over the TCP connection. If there is no response to a keep-alive, it is repeated once every interval specified by the value
of KeepAliveInterval in seconds. By default, the KeepAliveInterval entry is set to a value of one second.
</knip>

Hope it helps, if not rebooot ;-)
Jeremie

Tat Wee Kan wrote:

> ----- Original Message -----
> From: <Leonard.Ongat_private>
> To: <security-basicsat_private>; <incidentsat_private>;
> <bugtraqat_private>
> Sent: Monday, November 11, 2002 11:04 AM
> Subject: Yahoo Messenger Stale Sessions
>
> > During my observation in daily use of Yahoo Messenger, my computer has
> "stale/zombie" sessions.  For example, If i have received/message a friend,
> yahoo will normally make a direct connection from my PC to my friend.  From
> Netstat result, you can see a high port on my computer is having an
> Established session with my peer's:5101 port.
> >
> > The issue is, after a contact has gone offline (dial-up), the state
> established in the netstat will remain until the next day.  I wouls see this
> as a vulnerabilities, since an arbitrary user can assume the IP Address was
> used (dial-up->dynamic ip assignment), and use this established session to
> assume it.
> >
> > Any idea ?
>
> Hmm, I'm not an expert in this, but I do realize if the 4-way handshake for
> terminating a connection is not done properly, e.g. the user switched off
> his dial-up modem abruptly, it would cause the "stale/zombie" sessions
> described as above. The dial-up machine will not have the opportunity to
> send the FIN to your machine.
>
> You probably need to know the sequence number, source port, destination port
> as well as source IP and destination IP (which you should know).

--
"Ok, so the servers are down, the lights are out, and all I have to work
with is a roll of duct tape, a ball point pen, a lighter, and a twenty year
old copy of emacs.  Where's the problem? "

text/x-vcard attachment: Card for BANIER Jeremie

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Palmer, Justin: "RE: Unicode Attack"
Previous message: John Fitzgerald: "RE: Yahoo Messenger Stale Sessions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 11:48:15 PST