Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP/IP ISN Prediction Susceptibility

From: Olaf Kirch <okir () CALDERA DE>
Date: Wed, 14 Mar 2001 17:26:04 +0100
On Tue, Mar 13, 2001 at 11:56:29PM -0700, Elias Levy wrote:

This is different IP spoofing attacks that attempt to initiate a
TCP connection to a server for which you need to guess the server's
ISN so you can complete the three-way handshake. In this case the
*server* having a predictable ISN is the vulnerability.


In particular, you do not have to guess the exact sequence number
the client is using at the moment; it's enough to have a rough idea of
it. Assuming you know the upper 16 bits of the sequence number, all it
takes is inserting some M packets with ISNs N bytes apart (M * N == 65536).
Unless the TCP window is pathological, the server will queue some of
these and deliver the data as soon as the "missing" data between the
current ISN and the guessed ISN arrives.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.
Previous By Date Next
Previous By Thread Next

Current thread: