[7918] in bugtraq
Re: NT4-SP3 Sequence Prediction
daemon@ATHENA.MIT.EDU (nate@ROOT.ORG)
Wed Sep 9 14:51:49 1998
Date: Wed, 9 Sep 1998 18:31:37 -0000
Reply-To: nate@ROOT.ORG
From: nate@ROOT.ORG
To: BUGTRAQ@NETSPACE.ORG
On Thu, 3 Sep 1998, Roy Hills wrote:
> By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3
> increases the initial TCP sequence number by one every millisecond.
> I think that this would be very difficult to exploit remotely
> because the latency variations over an Internet connection are
> generally much greater than a millisecond. I guess that it may
> be possible to exploit over a LAN connection, but even then, I doubt
> that it would be easy.
It is very easy. Assume that you have a standard deviation of 3 in the
sequence every 10 ms (Ivan Arce measured a stdev of 2.6942). This means
that a single guessed sequence of 499, 500, or 501 has a ~68% (1 stdev)
chance of being correct. Assuming you are guessing one every 10 ms, it
would only take 3 tries (30 ms) for you to have a better than 90% chance
of succeeding.
The lesson is that low individual event probability doesn't mean much
when you can repeat the attempt millions of times. With today's higher-
speed networks, the rare becomes commonplace. A "collision" of DES-encrypted
network traffic (with its 64 bit block size) will occur within a couple minutes
on a 1gb/sec link.
Ivan Arce wrote:
>mean < 499.92> standard deviation (square) < 7.2588>
That is the variance, s^2. (Perhaps you meant this by (square)).
The standard deviation is s < 2.6942. Also, in situations like this, it
would be best to use the step function since sequence numbers can only
be integer values.
-Nate
