Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preventing sequence number guessing

From: dawagner () phoenix Princeton EDU (David A. Wagner)
Date: Wed, 25 Jan 1995 15:47:23 -0500 (EST)




I've only got one novel idea: instead of using tcp_iss directly
for the SYN everytime a new TCP/IP connection is opened, send
MD5(tcp_iss) [or maybe MD5(tcp_iss, time(NULL), ...)].


This sounds awefully expensive.  One md5 operation for each
new passive or active connection.



On an unloaded Sparc LX, I get

~/scratch/md5 $ time ./md5drivr -t
MD5 time trial. Digesting 1000000 8-byte blocks ... done
Digest = 2278bf63bfa354c582138cde1233fd15
Time = 7 seconds
Speed = 1142857 bytes/second
6.776s real  6.680s user  0.090s system  99% ./md5drivr -t

So it takes about 7 u-seconds to MD5 hash a small block on a
fairly wimpy Sun.  [It's faster on faster boxes, of course.]

Since network roundtrip times are on the order of milliseconds,
this won't cause any delay for the guy on the other side of the net.

On the other hand, what about CPU load on the local machine?
Hrmmm... if you receive 1500 connections a second *consistently*,
you'll have a 1% slowdown with this addition, which would be
bad news...  Does anyone receive that many new connection
requests a second?  [I have no intuition for whether 1500 is
a large number or a small one here.]

-------------------------------------------------------------------------------
David Wagner                                             dawagner () princeton edu
Previous By Date Next
Previous By Thread Next

Current thread: