Vulnerability Development mailing list archives
Re: TCP/IP ISN Prediction Susceptibility
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Thu, 15 Mar 2001 08:50:48 +0800
That's interesting. Do you know of any O/S which will/won't do this? If this method actually works, then one might possibly bypass some sort of checks in certain firewalls/IDS when targeting vulnerable systems. Cheerio, Link. At 05:26 PM 14-03-2001 +0100, you wrote:
In particular, you do not have to guess the exact sequence number the client is using at the moment; it's enough to have a rough idea of it. Assuming you know the upper 16 bits of the sequence number, all it takes is inserting some M packets with ISNs N bytes apart (M * N == 65536). Unless the TCP window is pathological, the server will queue some of these and deliver the data as soon as the "missing" data between the current ISN and the guessed ISN arrives. Olaf
Current thread:
- TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 12)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Holger van Koll (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Olaf Kirch (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Mike Sues (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Dom De Vitto (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Vitaly Osipov (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Mike Fedyk (Mar 14)
- <Possible follow-ups>
- Re: TCP/IP ISN Prediction Susceptibility Eric D. Williams (Mar 13)