Vulnerability Development mailing list archives
Statistical (Birthday?) attack against TCP ISNs?
From: "Granquist, Lamont" <lamont () SCRIPTKIDDIE ORG>
Date: Sun, 18 Mar 2001 19:27:19 -0800
Here's a thought on how to attack TCP ISNs irregardless of the strength of the PRNG being used: 1. fill the listen() backlog of 32768 connections completely with connections that have the same ISN (SYN flooding with the same ISN) 2. keep guessing reply ISNs and sending ACKs until statistically you succeed The success of this would come after 2^32 / 2^15 = 2^17 (131,072) guesses of ACK packets. You'd need to make sure the listen() backlog was kept full during this whole time. Problems: 1. I'm not sure what happens when you SYN flood with packets that have the same ISN -- you may not generate 32768 table entries. 2. Do you even need to worry about the ISN that you sent in the SYN packet? I can't remember if we need to remember this or not, its been a year or two since I've torn apart TCP connections at this level... 3. SYN cookies? 4. Anything that can take entries out of the listen() queue. I need hit Stevens a bit more to refresh my memory and answer these questions, but I thought I'd throw this out there. (And obviously this is all inspired by trying to figure out what Newsham's attack against TCP ISNs is...) I rolled up a little bit of perl to monte carlo simulate this and confirm that it would take about 2^17 tries to succeed. I haven't actually tried this against a target TCP/IP stack though...
Current thread:
- Statistical (Birthday?) attack against TCP ISNs? Granquist, Lamont (Mar 18)
- Re: Statistical (Birthday?) attack against TCP ISNs? Granquist, Lamont (Mar 20)