Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Sequence Prediction

From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Wed, 29 Mar 2000 21:04:38 -0800

* Dean Michael Dorman <Dean () PUTNAMCOMPANY COM> [000329 20:11]:

Pardon me if this is a trivial question but after nmapping several servers I
find that NT boxen usually come up with:

TCP Sequence Prediction: Class=trivial time dependency
                         Difficulty=6 (Trivial joke)

I was wondering how to increase the security here (besides removing NT and
installing OpenBSD).


(This is a guess, so if someone would correct me if I am wrong, I would
very much appreciate it. :)

I think the best way to make the tcp sequence more difficult to predict
is just that -- use another machine to generate the sequences. Rather
than replace all your NT boxen with OpenBSD you could instead place a
proxy between your NT boxen and your internet link; one that would
rewrite the sequences for you.

You could either use application proxies for individual services (such
as http) or you could use a NAT box, which (again, guessing ;) re-writes
the tcp sequence numbers.

If you need to protect the services from an internal session hijacking
threat as well as external, then you could hang each NT box on the other
side of a dedicated NAT box.

I think with this method you could get the cryptographically random
sequence numbers of OpenBSD while your users shouldn't notice any
differences in how they use the services.

HTH


--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Previous By Date Next
Previous By Thread Next

Current thread: