nanog mailing list archives
Re: TCP RST attack (the cause of all that MD5-o-rama)
From: Paul Jakma <paul () clubi ie>
Date: Wed, 21 Apr 2004 20:14:03 +0100 (IST)
On Tue, 20 Apr 2004, Patrick W.Gilmore wrote:
(Someone check my math. :)
try not to include text after your sig. some people set their mailers to strip sigs from replies.
Sequence numbers are 32 bits. Since the miscreant only needs to guess once every 14 bits, you get:
2^32 / 2^14 == 262144
Ie, no more than 262144 different sequence numbers required to hit a window. 262144 packets @ 10kpps will take: 262144/(10*1000) = 26.21440 That's 26 _seconds_, not hours - with a probability of 1. Though after 13s of sending packets, probability is 0.5. At just 100pps: 262144/(100)/60 = 43.69 So 44 minutes at a low packet rate, ~5kB/s, probability of 1 that you will have hit the window (of the sequence number as it was for first packet :) ), 22 minutes you're already at P(0.5). However, for the 10kpps case, you have at most 26s to notice the 10kpps / 480kB/s traffic.
There is a router vendor out there which defaults to source ports between 1024 and 5000, or so I have been told. (This router vendor does many things very well and should not be considered a Bad Vendor for this one minor error, which I hope they will fix ASAP.)
We now have:
(5000 - 1024) * 262144 == 1042284544
Which is only 28 hours at 10kpps: 1042284544/(10*1000)/3600 = 28.95234 bit less likely admittedly. regards, -- Paul Jakma paul () clubi ie paul () jakma org Key ID: 64A2FF6A warning: do not ever send email to spam () dishone st Fortune: All bridge hands are equally likely, but some are more equally likely than others. -- Alan Truscott
Current thread:
- Re: TCP RST attack (the cause of all that MD5-o-rama), (continued)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Dan Hollis (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Paul Vixie (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Patrick W . Gilmore (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Valdis . Kletnieks (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Patrick W . Gilmore (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) E.B. Dreger (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Peter Galbavy (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) E.B. Dreger (Apr 21)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Crist Clark (Apr 21)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Valdis . Kletnieks (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Dan Hollis (Apr 20)
- Re: TCP RST attack (the cause of all that MD5-o-rama) Patrick W . Gilmore (Apr 21)