Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

TCP Sequence Number Prediction Implementation

From: mcn () EnGarde com (Mike Neuman)
Date: Tue, 28 Mar 1995 23:55:57 -0600

  Hello,

  This first part is sort of relevant to bugtraq (If you're not interested, 
skip down to the ObBug and the part below it) :-) I have written an 
implementation of the TCP sequence number prediction (as allegedly used by 
Mitnick and described by Bellovin and Morris). Works pretty well too.. :-)

  So, the question is: Is there any value in posting the source? Presumably
people can find themselves a description of how it works, but posting running
source may give more insight into the problem and spur the slower vendors
into fixing it, or at least notifying their customers how to fix it 
themselves.

  Okay, okay:

ObBug:
  Given an open TCP connection between host A and B with Sequence numbers
Seq(A) and Seq(B). Host W (the intruder), injects a spoofed packet to B with
using the proper Seq(A) (obtained any number of ways).
Assume the following scenario:

A -> B: Seq(A), 7 bytes of data
B -> A: Seq(B), ACK Seq(A)+7
W -> B: Seq(A)+7, 10 bytes of data
B -> A: Seq(B), ACK Seq(A)+17

A -> B: Seq(A)+7, ACK Seq(B)
B -> A: Seq(B), ACK Seq(A)+17
...

The last two steps are repeated forever. The problem is host A receives an
ACK for data it never sent. Instead of complaining, it resends it's sequence
number to B along with the ACK where it expects B's sequence number to be.
B, on the other hand, assumes A is retransmitting old data--it's already
receieved through Seq(A)+7. So, it simply ACKs receipt of the old data and
notifies A of its current position in the stream Seq(A)+17.

The result is an ACK war. Neither side is content with the other's response,
so they re-ACK in an attempt to reposition the data stream. Neither side can
win, so the network is completely hosed until A or B terminates the 
connection. (To both A and B it looks like the network is just slow, so 
they aren't likely to quit for a while).

-Mike

--
Mike Neuman (mcn () EnGarde com) - EN GARDE SYSTEMS - Computer Security Consulting
http://www.c3.lanl.gov/~mcn   - http://www.cec.wustl.edu/~dmm2/egs/egs.html
===============================================================================
"Most of these should be 'void', but the people who defined the STREAMS
 data structures for S[ystem] 5 didn't understand data types." - Solaris source
Previous By Date Next
Previous By Thread Next

Current thread: