Bugtraq mailing list archives
Re: Borderware predictable initial TCP sequence numbers
From: sullivan () SECLAB COM (Gigi Sullivan)
Date: Wed, 2 Sep 1998 10:56:52 +0200
Hello there, This can be applied also to Firewall-1 (CheckPoint) running on an HP-UX 10.X series. bye bye -- gg sullivan -- Lorenzo Cavallaro Intesis SECURITY LAB Phone: +39-2-671563.1 Via Settembrini, 35 Fax: +39-2-66981953 I-20124 Milano ITALY Email: sullivan () seclab com On Tue, 1 Sep 1998, Roy Hills wrote:
Date: Tue, 1 Sep 1998 09:55:24 +0100 From: Roy Hills <Roy.Hills () NTA-MONITOR COM> To: BUGTRAQ () NETSPACE ORG Subject: Borderware predictable initial TCP sequence numbers While performing an Internet security scan (aka penetration test) for a UK corporate customer, I've discovered that version 5 of Borderware Firewall generates predictable initial TCP sequence numbers in response to incoming SYNs. The observed pattern is the familiar "64k increments" often seen on older Unix kernels. This allows TCP connections to be established with a spoofed source address.
[snip]
-- Roy Hills Tel: 01634 721855 NTA Monitor Ltd FAX: 01634 721844 6 Beaufort Court, Medway City Estate, Email: Roy.Hills () nta-monitor com Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
Current thread:
- Borderware predictable initial TCP sequence numbers Roy Hills (Sep 01)
- Re: Borderware predictable initial TCP sequence numbers Gigi Sullivan (Sep 02)
- Re: Borderware predictable initial TCP sequence numbers Kevin Steves (Sep 02)
- Re: Borderware predictable initial TCP sequence numbers Gigi Sullivan (Sep 02)