Bugtraq mailing list archives
Re: Borderware predictable initial TCP
From: ivan () SECURENETWORKS COM (Ivan Arce,CORE SDI)
Date: Tue, 8 Sep 1998 20:31:22 -0600
On Thu, 3 Sep 1998, Roy Hills wrote:
While NT 4 SP3 does have a pattern to it's initial TCP sequence numbers, my observations show this to be a "one-per-millisecond" seqence which is much less of a problem than the "64k increments" pattern exhibited by Borderware and HP-UX 10.x default configurations. With the "64k increments" pattern, the server's initial TCP sequence number is increased by 64,000 for each incoming connection and by 128,000 each second. These granularities of inbound connections and seconds are sufficiently course to make sequence number prediction trivial. By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3 increases the initial TCP sequence number by one every millisecond. I think that this would be very difficult to exploit remotely because the latency variations over an Internet connection are generally much greater than a millisecond. I guess that it may be possible to exploit over a LAN connection, but even then, I doubt that it would be easy. Has anyone actually seen or demonstrated a successful spoofing attack against NT 4 SP3 over an Internet connection? Roy Hills NTA Monitor
Hmmm NT+SP3, Pentium 233Mhz How exploitable does this look: TCP Initial Sequence Numbers ###: Sequence Number RTT Difference ---: --------------- --------- ------------ 0 547735488 9 ms. 0 1 547735979 9 ms. 491 2 547736480 9 ms. 501 3 547736980 9 ms. 500 4 547737481 9 ms. 501 5 547737982 9 ms. 501 6 547738483 9 ms. 501 7 547738983 9 ms. 500 8 547739484 9 ms. 501 9 547739975 9 ms. 491 10 547740475 9 ms. 500 11 547740976 9 ms. 501 12 547741477 9 ms. 501 13 547741978 9 ms. 501 14 547742478 9 ms. 500 15 547742979 9 ms. 501 16 547743480 9 ms. 501 17 547743980 9 ms. 500 18 547744481 9 ms. 501 19 547744982 9 ms. 501 20 547745483 9 ms. 501 21 547745983 9 ms. 500 22 547746474 9 ms. 491 23 547746975 9 ms. 501 24 547747475 9 ms. 500 25 547747976 9 ms. 501 26 547748477 9 ms. 501 27 547748978 9 ms. 501 28 547749478 9 ms. 500 29 547749979 9 ms. 501 30 547750480 9 ms. 501 31 547750981 9 ms. 501 32 547751481 9 ms. 500 33 547751982 9 ms. 501 34 547752483 9 ms. 501 35 547752983 9 ms. 500 36 547753484 9 ms. 501 37 547753975 9 ms. 491 38 547754476 9 ms. 501 39 547754976 9 ms. 500 40 547755477 9 ms. 501 41 547755978 9 ms. 501 42 547756478 9 ms. 500 43 547756979 9 ms. 501 44 547757480 9 ms. 501 45 547757981 9 ms. 501 46 547758481 9 ms. 500 47 547758982 9 ms. 501 48 547759483 9 ms. 501 49 547759983 9 ms. 500 50 547760484 9 ms. 501 mean < 499.92> standard deviation (square) < 7.2588> ==============================[ CORE Seguridad de la Informacion S.A. ]======= Ivan Arce Gerencia de Tecnologia Email : ivan () core-sdi com Av. Santa Fe 2861 5to C TE : +54-1-821-1030 CP 1425 FAX : +54-1-821-1030 Buenos Aires, Argentina Mensajeria: +54-1-317-4157 ==============================================================================
Current thread:
- Re: Borderware predictable initial TCP Ulf Munkedal (Sep 02)
- Re: Borderware predictable initial TCP Roy Hills (Sep 03)
- Re: Borderware predictable initial TCP Ivan Arce,CORE SDI (Sep 08)
- Re: Borderware predictable initial TCP Roy Hills (Sep 09)
- Re: Borderware predictable initial TCP Patrick (Sep 09)
- Re: Borderware predictable initial TCP Ivan Arce,CORE SDI (Sep 08)
- Win NT40 seq pred. Was: Borderware predictable initial TCP Ulf Munkedal (Sep 09)
- L0pht Answering Machine Advisory Dr. Mudge (Sep 09)
- Re: Borderware predictable initial TCP Roy Hills (Sep 03)