[11541] in bugtraq
Re: NT Predictable Initial TCP Sequence numbers - changes
daemon@ATHENA.MIT.EDU (Deri Jones)
Sat Aug 28 05:06:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.1.32.19990826095808.008356e0@192.168.124.1>
Date: Thu, 26 Aug 1999 09:58:08 +0100
Reply-To: Deri Jones <bugtraq-l@NTA-MONITOR.COM>
From: Deri Jones <bugtraq-l@NTA-MONITOR.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Microsoft have now confirmed the problem:
-----------------------------------------
From: Sunil Gopal
To: Roy Hills <Roy.Hills@nta-monitor.com>
Subject: RE: NT 4.0 SP4 predictable initial TCP sequence numbers
Date: Tue, 24 Aug 1999 04:20:56 -0700
Hi Roy,
Sorry about the silence...
Though the TCP sequence generation pattern changes made to TCPIP.SYS for SP4
are an improvement, I have been informed that this has been resolved in
Windows 2000 and will be "back ported" to NT 4.0 in a future SP release. The
issue remains open and is being worked on....
We are trying to get escalate this further and get it into the HOTFIX
schedule and hope to make it available to xxx ASAP.
Hope this helps...
Thanks and Regards,
Sunil Gopal, MCSE
Technical Specialist/Systems Engineer
mailto:sunilg@microsoft.com
"Enable people to do anything they want, anytime they want, anywhere they
want, on any device."
____________________________________________________________________________
_________________
-----Original Message-----
From: Roy Hills [mailto:Roy.Hills@nta-monitor.com]
Sent: Tuesday, August 24, 1999 12:54 PM
To: Sunil Gopal
Subject: NT 4.0 SP4 predictable initial TCP sequence numbers
Folks,
I've not heard back from Microsoft yet regarding the new predictable
initial TCP sequence pattern in NT 4.0 SP4, so I've done some more
research on the testbench to gain a better understanding of what's going on.
It looks like the differences between initial TCP sequence numbers is always
between 0 and 14 and is always an even number - i.e. 0,2,4,8,10,12 or 14.
>From a sample of 5,000 initial sequence numbers - i.e. 4,999 difference
pairs - I get the following distribution:
Sequence Number
Difference of occurrences
-------------- ---------------------
0 648
2 584
4 608
6 660
8 602
10 666
12 641
14 590
I've also tested systems at different rates from one connection every
20ms to one connection per second, and the pattern remains the same.
So it's not time-related like the old SP3 behaviour.
I'm going to post my finding to a couple of security mailing lists
to share this information with the security community. Obviously
I won't mention any names! I'll send you a copy of my posting to
keep you informed of progress.
Regards,
Roy Hills
NTA Monitor Ltd
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
6 Beaufort Court, Medway City Estate, Email:
Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK WWW:
http://www.nta-monitor.com/
