[69923] in North American Network Operators' Group
Re: TCP RST attack (the cause of all that MD5-o-rama)
daemon@ATHENA.MIT.EDU (Paul Jakma)
Wed Apr 21 15:14:58 2004
Date: Wed, 21 Apr 2004 20:14:03 +0100 (IST)
From: Paul Jakma <paul@clubi.ie>
To: "Patrick W.Gilmore" <patrick@ianai.net>
Cc: nanog@merit.edu
In-Reply-To: <99C2AAA0-9302-11D8-B101-000A9578BB58@ianai.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 20 Apr 2004, Patrick W.Gilmore wrote:
> (Someone check my math. :)
try not to include text after your sig. some people set their mailers
to strip sigs from replies.
> Sequence numbers are 32 bits. Since the miscreant only needs to
> guess once every 14 bits, you get:
> 2^32 / 2^14 == 262144
Ie, no more than 262144 different sequence numbers required to hit a
window. 262144 packets @ 10kpps will take:
262144/(10*1000) = 26.21440
That's 26 _seconds_, not hours - with a probability of 1. Though
after 13s of sending packets, probability is 0.5. At just 100pps:
262144/(100)/60 = 43.69
So 44 minutes at a low packet rate, ~5kB/s, probability of 1 that you
will have hit the window (of the sequence number as it was for first
packet :) ), 22 minutes you're already at P(0.5).
However, for the 10kpps case, you have at most 26s to notice the
10kpps / 480kB/s traffic.
> There is a router vendor out there which defaults to source ports
> between 1024 and 5000, or so I have been told. (This router vendor
> does many things very well and should not be considered a Bad
> Vendor for this one minor error, which I hope they will fix ASAP.)
> We now have:
> (5000 - 1024) * 262144 == 1042284544
Which is only 28 hours at 10kpps:
1042284544/(10*1000)/3600 = 28.95234
bit less likely admittedly.
regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam@dishone.st
Fortune:
All bridge hands are equally likely, but some are more equally likely
than others.
-- Alan Truscott
