Bugtraq mailing list archives
Re: Not so random TCP initial sequence numbers
From: Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>
Date: Fri, 16 Mar 2001 16:50:37 +0100
Elias Levy <aleph1 () SECURITYFOCUS COM> writes:
It seems the vulnerability lies in the implementation of some TCP/IP stacks that attempt to randomize TCP's initial sequence numbers - ironically for the purpose of not generating predictable ISNs to stop blind IP spoofing of TCP connections. While the ISNs generated by these implementations appear random they apparently are statistically predictable.
I think this is the cause. For example, Solaris 2.6 uses a PRNG when the "tcp_strong_iss" sysctl has the value 1. The PRNG output (and the ISN derived from it) appears pretty random to the casual observer (e.g. nmap), but with a more sophisticated approach, it should be possible to recover the internal state of the PRNG. If "tcp_strong_iss" is set to 2, the RFC 1948 approach is implemented, which is probably secure. For an example how to set "tcp_strong_iss" properly, see 'Example G' http://www.enteract.com/~lspitz/example.html -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- Not so random TCP initial sequence numbers Elias Levy (Mar 14)
- Re: Not so random TCP initial sequence numbers Florian Weimer (Mar 16)