[7919] in bugtraq
Re: NT4-SP3 Sequence Prediction
daemon@ATHENA.MIT.EDU (Steve Bellovin)
Wed Sep 9 15:55:59 1998
Date: Wed, 9 Sep 1998 15:27:05 -0400
Reply-To: Steve Bellovin <smb@RESEARCH.ATT.COM>
From: Steve Bellovin <smb@RESEARCH.ATT.COM>
To: BUGTRAQ@NETSPACE.ORG
Relying on a fast counter for protection is fruitless -- I showed this
in a 1989 paper. Look at it this way -- given some idea of the mean
increment per unit time, trying to find the exact right guess is like
trying to exploit a race condition. Usually you lose -- but winning
just once is enough.
Furthermore, the idea of multiple guesses per attempt appears to be
sound -- from a quick glance at the TCP spec, an erroneous ACK will not
cause any harm.
The best solution, of course, is to abandon the fatally-flawed notion
of address-based authentication in the first place. If you must use
it, use a per-connection time base, per RFC 1948.
