[7917] in bugtraq
Re: Borderware predictable initial TCP
daemon@ATHENA.MIT.EDU (Patrick)
Wed Sep 9 14:41:50 1998
Date: Wed, 9 Sep 1998 14:12:25 -0400
Reply-To: Patrick <patrick@CS.VIRGINIA.EDU>
From: Patrick <patrick@CS.VIRGINIA.EDU>
X-To: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809091018.LAA00614@mercury.nta-monitor.com>
> I've also got a feeling that it may be possible to send multiple ACKs to the
> server and the incorrect ones might just get ignored - if this is true,
> then it
> would be possible to "bracket" the predicted sequence no. with multiple
> ACKs to increase the chance of success. Does anyone know if this is
> really the case?
Yes, all the TCP stacks I have tried seem to ignore incorrect seq/ack
numbers. This includes Linux, Solaris, Win*, and AIX. I can do more
specific testing if it's an issue.
I have a program that gets sequence numbers by sniffing and then spoofs
FIN packets to tear down a connection. If I get the sequence numbers
wrong (i.e., some legitimate packets arrive before my spoofed FINs), I
just sniff another packet and try sending FINs again, etc.
Juggernaut has similar functionality (using RST instead of FIN), and it
goes so far as to send 10 RSTs, incrementing the sequence numbers for each
attempt. This should significantly increase the chances of taking the
connection down successfully.
--Patrick
