Re: TCP RST attack (the cause of all that MD5-o-rama)

[Paul Jakma <paul () clubi ie>]

On Tue, 20 Apr 2004, Patrick W.Gilmore wrote:

> (Someone check my math. :)

try not to include text after your sig. some people set their mailers 
to strip sigs from replies.

> Sequence numbers are 32 bits.  Since the miscreant only needs to
> guess once every 14 bits, you get:

>  2^32 / 2^14 == 262144

Ie, no more than 262144 different sequence numbers required to hit a 
window. 262144 packets @ 10kpps will take:

        262144/(10*1000) = 26.21440

That's 26 _seconds_, not hours - with a probability of 1. Though
after 13s of sending packets, probability is 0.5. At just 100pps:

        262144/(100)/60 = 43.69

So 44 minutes at a low packet rate, ~5kB/s, probability of 1 that you
will have hit the window (of the sequence number as it was for first
packet :) ), 22 minutes you're already at P(0.5).

However, for the 10kpps case, you have at most 26s to notice the 
10kpps / 480kB/s traffic.

> There is a router vendor out there which defaults to source ports
> between 1024 and 5000, or so I have been told.  (This router vendor
> does many things very well and should not be considered a Bad
> Vendor for this one minor error, which I hope they will fix ASAP.)

> We now have:

>  (5000 - 1024) * 262144 == 1042284544

Which is only 28 hours at 10kpps:

        1042284544/(10*1000)/3600 = 28.95234

bit less likely admittedly.

regards,
-- 
Paul Jakma      paul () clubi ie        paul () jakma org       Key ID: 64A2FF6A
        warning: do not ever send email to spam () dishone st
Fortune:
All bridge hands are equally likely, but some are more equally likely
than others.
                -- Alan Truscott