Re: crc32 compensation attack

To: Micah Anderson <micah@riseup.net>
Cc: debian-security@lists.debian.org
Subject: Re: crc32 compensation attack
From: Jamie Heilman <jamie@audible.transient.net>
Date: Mon, 24 Sep 2001 00:25:01 -0700
Message-id: <[🔎] 20010924002500.A18726@audible.transient.net>
In-reply-to: <[🔎] 20010923232559.C18663@riseup.net>; from micah@riseup.net on Sun, Sep 23, 2001 at 11:25:59PM -0700
References: <[🔎] 20010923232559.C18663@riseup.net>

Micah Anderson wrote:

> Got what appears to be a "crc32 compensation attack in my logs today,
> about 10 minutes worth of these types of messages.... should I be
> worried? Should I laugh at this feable attempt to break in? Should I
> gnaw my fingernails with my shotgun on my lap?

heh, http://www.plif.com/archive/wc055.gif

I would be worried that somebody is interested in your ssh sessions.  I
would be less worried that they were able to successfully compromise the
session, but check the source code for that message so you can find out
where it was generated and what the attacker may have been trying to do.
(I would have closed the session as soon as I saw this myself though just
to be on the safe side.) There was a theoretical attack against the crc32
compensation attack detector itself a while back, this might be what you
saw.  http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

-jamie

Reply to:

References:
- crc32 compensation attack
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: Re: Need Help with the Debian Securing Manual (contributions accepted)
Next by Date: Questions regarding the Security Secretary Position
Previous by thread: crc32 compensation attack
Next by thread: Subject!
Index(es):
- Date
- Thread