Vulnerability Development mailing list archives
Re: TCP/IP ISN Prediction Susceptibility
From: Olaf Kirch <okir () CALDERA DE>
Date: Wed, 14 Mar 2001 17:26:04 +0100
On Tue, Mar 13, 2001 at 11:56:29PM -0700, Elias Levy wrote:
This is different IP spoofing attacks that attempt to initiate a TCP connection to a server for which you need to guess the server's ISN so you can complete the three-way handshake. In this case the *server* having a predictable ISN is the vulnerability.
In particular, you do not have to guess the exact sequence number the client is using at the moment; it's enough to have a rough idea of it. Assuming you know the upper 16 bits of the sequence number, all it takes is inserting some M packets with ISNs N bytes apart (M * N == 65536). Unless the TCP window is pathological, the server will queue some of these and deliver the data as soon as the "missing" data between the current ISN and the guessed ISN arrives. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 12)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Holger van Koll (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Olaf Kirch (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Mike Sues (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Dom De Vitto (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Vitaly Osipov (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Mike Fedyk (Mar 14)
- <Possible follow-ups>
- Re: TCP/IP ISN Prediction Susceptibility Eric D. Williams (Mar 13)