[7913] in bugtraq
Re: Borderware predictable initial TCP
daemon@ATHENA.MIT.EDU (Ivan Arce,CORE SDI)
Wed Sep 9 11:47:06 1998
Date: Tue, 8 Sep 1998 20:31:22 -0600
Reply-To: "Ivan Arce,CORE SDI" <ivan@SECURENETWORKS.COM>
From: "Ivan Arce,CORE SDI" <ivan@SECURENETWORKS.COM>
X-To: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809030846.JAA00563@mercury.nta-monitor.com>
On Thu, 3 Sep 1998, Roy Hills wrote:
> While NT 4 SP3 does have a pattern to it's initial TCP sequence
> numbers, my observations show this to be a "one-per-millisecond"
> seqence which is much less of a problem than the "64k increments"
> pattern exhibited by Borderware and HP-UX 10.x default configurations.
>
> With the "64k increments" pattern, the server's initial TCP sequence
> number is increased by 64,000 for each incoming connection and by
> 128,000 each second. These granularities of inbound connections and
> seconds are sufficiently course to make sequence number prediction
> trivial.
>
> By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3
> increases the initial TCP sequence number by one every millisecond.
> I think that this would be very difficult to exploit remotely because the
> latency variations over an Internet connection are generally much greater
> than a millisecond. I guess that it may be possible to exploit over a LAN
> connection, but even then, I doubt that it would be easy.
>
> Has anyone actually seen or demonstrated a successful spoofing
> attack against NT 4 SP3 over an Internet connection?
>
> Roy Hills
> NTA Monitor
>
Hmmm
NT+SP3, Pentium 233Mhz
How exploitable does this look:
TCP Initial Sequence Numbers
###: Sequence Number RTT Difference
---: --------------- --------- ------------
0 547735488 9 ms. 0
1 547735979 9 ms. 491
2 547736480 9 ms. 501
3 547736980 9 ms. 500
4 547737481 9 ms. 501
5 547737982 9 ms. 501
6 547738483 9 ms. 501
7 547738983 9 ms. 500
8 547739484 9 ms. 501
9 547739975 9 ms. 491
10 547740475 9 ms. 500
11 547740976 9 ms. 501
12 547741477 9 ms. 501
13 547741978 9 ms. 501
14 547742478 9 ms. 500
15 547742979 9 ms. 501
16 547743480 9 ms. 501
17 547743980 9 ms. 500
18 547744481 9 ms. 501
19 547744982 9 ms. 501
20 547745483 9 ms. 501
21 547745983 9 ms. 500
22 547746474 9 ms. 491
23 547746975 9 ms. 501
24 547747475 9 ms. 500
25 547747976 9 ms. 501
26 547748477 9 ms. 501
27 547748978 9 ms. 501
28 547749478 9 ms. 500
29 547749979 9 ms. 501
30 547750480 9 ms. 501
31 547750981 9 ms. 501
32 547751481 9 ms. 500
33 547751982 9 ms. 501
34 547752483 9 ms. 501
35 547752983 9 ms. 500
36 547753484 9 ms. 501
37 547753975 9 ms. 491
38 547754476 9 ms. 501
39 547754976 9 ms. 500
40 547755477 9 ms. 501
41 547755978 9 ms. 501
42 547756478 9 ms. 500
43 547756979 9 ms. 501
44 547757480 9 ms. 501
45 547757981 9 ms. 501
46 547758481 9 ms. 500
47 547758982 9 ms. 501
48 547759483 9 ms. 501
49 547759983 9 ms. 500
50 547760484 9 ms. 501
mean < 499.92> standard deviation (square) < 7.2588>
==============================[ CORE Seguridad de la Informacion S.A. ]=======
Ivan Arce
Gerencia de Tecnologia Email : ivan@core-sdi.com
Av. Santa Fe 2861 5to C TE : +54-1-821-1030
CP 1425 FAX : +54-1-821-1030
Buenos Aires, Argentina Mensajeria: +54-1-317-4157
==============================================================================
