Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Jan 2002 21:27:01 +0100
From:      Matthias Schuendehuette <msch@snafu.de>
To:        freebsd-stable@freebsd.org, freebsd-security@freebsd.org
Cc:        Peter.Sauerland@siemens.com
Subject:   Re: TCP Sequence-Prediction (4.5-PRE)
Message-ID:  <E16O2qF-0004KI-00@clever.eusc.inter.net>
In-Reply-To: <20020107214128.A19265@net.tamu.edu>
References:  <E16MX0z-0004sQ-00@clever.eusc.inter.net> <20020107104258.Y23081-100000@crimelords.org> <20020107214128.A19265@net.tamu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello everybody,

Am Dienstag, 8. Januar 2002 04:41 schrieben Sie:
> My experience with ISS is that it tends to report false positives
> quite often.  For example, we are still scratching our heads when it
> reports ISS problems for an IRIX box running Apache.

Now we have the ability to look a bit behind the scenes...

I got the section of the Scan-Logfile, which concerns the TCP-Sequence 
Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is 
the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning 
machine.

I hope that some of the TCP/IP-Gurus will have a look on it and draw ( 
and let me/us know) a conclusion out of that.

What I suppose to see are some irregular distributed right guesses of 
the TCP sequence number of which I really cannot imagine to create an 
exploit - but I'm all but a hacker :-)

Anyway - I hope I could shed some light onto the problem...

Ciao/BSD - Matthias

vvvvvvvv --- ...and here the Log-file --- vvvvvvvv

# Time Stamp(0x135):TCP sequence prediction aaa.bbb.ccc.ddd: \
	(1010389926) Mon Jan 07 08:52:06
# TCP Sequence Prediction: Getting initial sampling of sequence numbers
# TCP Sequence Prediction: Checking predicability on destination port 22
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \
	seq: 2539010280(0x975638e8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \
	seq: 234368744(0xdf82ee8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \
	seq: 234368744(0xdf82ee8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
	seq: 72227304(0x44e19e8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
	seq: 72227304(0x44e19e8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57028 \
	seq: 2176714600(0x81be0768)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
	seq: 72227304(0x44e19e8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \
	seq: 4221300584(0xfb9bef68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
	seq: 72227304(0x44e19e8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
	seq: 72227304(0x44e19e8)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \
	seq: 4221300584(0xfb9bef68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57023 \
	seq: 3018759784(0xb3ee9e68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \
	seq: 4221300584(0xfb9bef68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \
	seq: 1774421352(0x69c38568)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \
	seq: 4221300584(0xfb9bef68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \
	seq: 4221300584(0xfb9bef68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \
	seq: 1774421352(0x69c38568)
# TCP Sequence Prediction: Analyzing the sequence numbers \
	by the order the SYN packets were sent
# seq[0] = 2539010280, seq[1] = 234368744, actual diff = 1990325760
# seq[1] = 234368744, seq[2] = 72227304, actual diff = -162141440
# seq[2] = 72227304, seq[3] = 1774421352, actual diff = 1702194048
# The most frequent difference is -162141440 which occurred 1 times
# The minimum difference is -162141440 which occurred 1 times
# TCP Sequence Prediction: Analyzing the sequence numbers \
	by the order the SYN/ACK packets were received
# seq[0] = 2539010280, seq[1] = 234368744, actual diff = 1990325760
# seq[1] = 234368744, seq[2] = 234368744, actual diff = 0
# seq[2] = 234368744, seq[3] = 72227304, actual diff = -162141440
# seq[3] = 72227304, seq[4] = 72227304, actual diff = 0
# seq[4] = 72227304, seq[5] = 2176714600, actual diff = 2104487296
# seq[5] = 2176714600, seq[6] = 72227304, actual diff = -2104487296
# seq[6] = 72227304, seq[7] = 4221300584, actual diff = -145894016
# seq[7] = 4221300584, seq[8] = 72227304, actual diff = 145894016
# seq[8] = 72227304, seq[9] = 72227304, actual diff = 0
# seq[9] = 72227304, seq[10] = 4221300584, actual diff = -145894016
# seq[10] = 4221300584, seq[11] = 3018759784, actual diff = -1202540800
# seq[11] = 3018759784, seq[12] = 4221300584, actual diff = 1202540800
# seq[12] = 4221300584, seq[13] = 1774421352, actual diff = 1848088064
# seq[13] = 1774421352, seq[14] = 4221300584, actual diff = -1848088064
# seq[14] = 4221300584, seq[15] = 4221300584, actual diff = 0
# seq[15] = 4221300584, seq[16] = 1774421352, actual diff = 1848088064
# The most frequent difference is 0 which occurred 4 times
# The minimum difference is 0 which occurred 4 times
# TCP Sequence Prediction: Getting new sampling of sequence numbers \
	for comparison
# TCP Sequence Prediction: Checking predicability on destination port 22
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \
	seq: 635657064(0x25e35b68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \
	seq: 1774421352(0x69c38568)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \
	seq: 635657064(0x25e35b68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \
	seq: 3801944424(0xe29d1168)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \
	seq: 635657064(0x25e35b68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \
	seq: 635657064(0x25e35b68)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \
	seq: 3801944424(0xe29d1168)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57007 \
	seq: 1956262121(0x749a30e9)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \
	seq: 2487285466(0x9440f6da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \
	seq: 2487285466(0x9440f6da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \
	seq: 4010195418(0xef06b9da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57007 \
	seq: 2050126938(0x7a32745a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57008 \
	seq: 2786214362(0xa61241da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57009 \
	seq: 315578330(0x12cf57da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57010 \
	seq: 621582170(0x250c975a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
	seq: 1847059930(0x6e17e5da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57012 \
	seq: 1485862362(0x589075da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \
	seq: 224591066(0xd62fcda)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57014 \
	seq: 3847099610(0xe54e14da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57015 \
	seq: 4249765210(0xfd4e455a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \
	seq: 3617446746(0xd79ddb5a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57017 \
	seq: 4032084826(0xf054bb5a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57018 \
	seq: 1794507994(0x6af604da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57019 \
	seq: 246642906(0xeb378da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57020 \
	seq: 2681935194(0x9fdb155a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \
	seq: 578229210(0x227713da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57022 \
	seq: 2399872858(0x8f0b275a)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57023 \
	seq: 2355487706(0x8c65e3da)
# In TCP packet src aabbccdd:22 dst wwxxyyzz 57024 \
	seq: 1315568090(0x4e69f9da)
# TCP Sequence Prediction: Analyzing the sequence numbers \
	by the order the SYN packets were sent
# Guessing with most frequent difference -162141440
# seq[0] = 2487285466, seq[1] = 4010195418, \
	actual diff = 1522909952, freqDiff = -162141440
# seq[1] = 4010195418, seq[2] = 2050126938, \
	actual diff = -1960068480, freqDiff = -162141440
# seq[2] = 2050126938, seq[3] = 2786214362, \
	actual diff = 736087424, freqDiff = -162141440
# seq[3] = 2786214362, seq[4] = 315578330, \
	actual diff = 1824331264, freqDiff = -162141440
# seq[4] = 315578330, seq[5] = 621582170, \
	actual diff = 306003840, freqDiff = -162141440
# seq[5] = 621582170, seq[6] = 1847059930, \
	actual diff = 1225477760, freqDiff = -162141440
# seq[6] = 1847059930, seq[7] = 1485862362, \
	actual diff = -361197568, freqDiff = -162141440
# seq[7] = 1485862362, seq[8] = 224591066, \
	actual diff = -1261271296, freqDiff = -162141440
# seq[8] = 224591066, seq[9] = 3847099610, \
	actual diff = -672458752, freqDiff = -162141440
# seq[9] = 3847099610, seq[10] = 4249765210, \
	actual diff = 402665600, freqDiff = -162141440
# seq[10] = 4249765210, seq[11] = 3617446746, \
	actual diff = -632318464, freqDiff = -162141440
# seq[11] = 3617446746, seq[12] = 4032084826, \
	actual diff = 414638080, freqDiff = -162141440
# seq[12] = 4032084826, seq[13] = 1794507994, \
	actual diff = 2057390464, freqDiff = -162141440
# seq[13] = 1794507994, seq[14] = 246642906, \
	actual diff = -1547865088, freqDiff = -162141440
# seq[14] = 246642906, seq[15] = 2681935194, \
	actual diff = -1859675008, freqDiff = -162141440
# seq[15] = 2681935194, seq[16] = 578229210, \
	actual diff = -2103705984, freqDiff = -162141440
# seq[16] = 578229210, seq[17] = 2399872858, \
	actual diff = 1821643648, freqDiff = -162141440
# seq[17] = 2399872858, seq[18] = 2355487706, \
	actual diff = -44385152, freqDiff = -162141440
# seq[18] = 2355487706, seq[19] = 1315568090, \
	actual diff = -1039919616, freqDiff = -162141440
aaa.bbb.ccc.ddd: Most frequent guess (SYN/ACK received order): \
	0 out of 19 (0.000%)
# Guessing with minimum difference -162141440
# seq[0] = 2487285466, seq[1] = 4010195418, \
	actual diff = 1522909952, minDiff = -162141440
# seq[1] = 4010195418, seq[2] = 2050126938, \
	actual diff = -1960068480, minDiff = -162141440
# seq[2] = 2050126938, seq[3] = 2786214362, \
	actual diff = 736087424, minDiff = -162141440
# seq[3] = 2786214362, seq[4] = 315578330, \
	actual diff = 1824331264, minDiff = -162141440
# seq[4] = 315578330, seq[5] = 621582170, \
	actual diff = 306003840, minDiff = -162141440
# seq[5] = 621582170, seq[6] = 1847059930, \
	actual diff = 1225477760, minDiff = -162141440
# seq[6] = 1847059930, seq[7] = 1485862362, \
	actual diff = -361197568, minDiff = -162141440
# seq[7] = 1485862362, seq[8] = 224591066, \
	actual diff = -1261271296, minDiff = -162141440
# seq[8] = 224591066, seq[9] = 3847099610, \
	actual diff = -672458752, minDiff = -162141440
# seq[9] = 3847099610, seq[10] = 4249765210, \
	actual diff = 402665600, minDiff = -162141440
# seq[10] = 4249765210, seq[11] = 3617446746, \
	actual diff = -632318464, minDiff = -162141440
# seq[11] = 3617446746, seq[12] = 4032084826, \
	actual diff = 414638080, minDiff = -162141440
# seq[12] = 4032084826, seq[13] = 1794507994, \
	actual diff = 2057390464, minDiff = -162141440
# seq[13] = 1794507994, seq[14] = 246642906, \
	actual diff = -1547865088, minDiff = -162141440
# seq[14] = 246642906, seq[15] = 2681935194, \
	actual diff = -1859675008, minDiff = -162141440
# seq[15] = 2681935194, seq[16] = 578229210, \
	actual diff = -2103705984, minDiff = -162141440
# seq[16] = 578229210, seq[17] = 2399872858, \
	actual diff = 1821643648, minDiff = -162141440
# seq[17] = 2399872858, seq[18] = 2355487706, \
	actual diff = -44385152, minDiff = -162141440
# seq[18] = 2355487706, seq[19] = 1315568090, \
	actual diff = -1039919616, minDiff = -162141440
aaa.bbb.ccc.ddd: Minimum guess (SYN/ACK received order): \
	0 out of 19 (0.000%)
# TCP Sequence Prediction: Analyzing the sequence numbers \
	by the order the SYN/ACK packets were received
# Guessing with most frequent difference 0
# seq[0] = 635657064, seq[1] = 1774421352, \
	actual diff = 1138764288, freqDiff = 0
# seq[1] = 1774421352, seq[2] = 635657064, \
	actual diff = -1138764288, freqDiff = 0
# seq[2] = 635657064, seq[3] = 3801944424, \
	actual diff = -1128679936, freqDiff = 0
# seq[3] = 3801944424, seq[4] = 635657064, \
	actual diff = 1128679936, freqDiff = 0
# seq[4] = 635657064, seq[5] = 635657064, \
	actual diff = 0, freqDiff = 0
# seq[5] = 635657064, seq[6] = 3801944424, \
	actual diff = -1128679936, freqDiff = 0
# seq[6] = 3801944424, seq[7] = 1956262121, \
	actual diff = -1845682303, freqDiff = 0
# seq[7] = 1956262121, seq[8] = 2487285466, \
	actual diff = 531023345, freqDiff = 0
# seq[8] = 2487285466, seq[9] = 2487285466, \
	actual diff = 0, freqDiff = 0
# seq[9] = 2487285466, seq[10] = 4010195418, \
	actual diff = 1522909952, freqDiff = 0
# seq[10] = 4010195418, seq[11] = 2050126938, \
	actual diff = -1960068480, freqDiff = 0
# seq[11] = 2050126938, seq[12] = 2786214362, \
	actual diff = 736087424, freqDiff = 0
# seq[12] = 2786214362, seq[13] = 315578330, \
	actual diff = 1824331264, freqDiff = 0
# seq[13] = 315578330, seq[14] = 621582170, \
	actual diff = 306003840, freqDiff = 0
# seq[14] = 621582170, seq[15] = 1847059930, \
	actual diff = 1225477760, freqDiff = 0
# seq[15] = 1847059930, seq[16] = 1485862362, \
	actual diff = -361197568, freqDiff = 0
# seq[16] = 1485862362, seq[17] = 224591066, \
	actual diff = -1261271296, freqDiff = 0
# seq[17] = 224591066, seq[18] = 3847099610, \
	actual diff = -672458752, freqDiff = 0
# seq[18] = 3847099610, seq[19] = 4249765210, \
	actual diff = 402665600, freqDiff = 0
# seq[19] = 4249765210, seq[20] = 3617446746, \
	actual diff = -632318464, freqDiff = 0
# seq[20] = 3617446746, seq[21] = 4032084826, \
	actual diff = 414638080, freqDiff = 0
# seq[21] = 4032084826, seq[22] = 1794507994, \
	actual diff = 2057390464, freqDiff = 0
# seq[22] = 1794507994, seq[23] = 246642906, \
	actual diff = -1547865088, freqDiff = 0
# seq[23] = 246642906, seq[24] = 2681935194, \
	actual diff = -1859675008, freqDiff = 0
# seq[24] = 2681935194, seq[25] = 578229210, \
	actual diff = -2103705984, freqDiff = 0
# seq[25] = 578229210, seq[26] = 2399872858, \
	actual diff = 1821643648, freqDiff = 0
# seq[26] = 2399872858, seq[27] = 2355487706, \
	actual diff = -44385152, freqDiff = 0
# seq[27] = 2355487706, seq[28] = 1315568090, \
	actual diff = -1039919616, freqDiff = 0
aaa.bbb.ccc.ddd: Most frequent guess (SYN sent order): \
	2 out of 28 (7.143%)
# Guessing with minimum difference 0
# seq[0] = 635657064, seq[1] = 1774421352, \
	actual diff = 1138764288, minDiff = 0
# seq[1] = 1774421352, seq[2] = 635657064, \
	actual diff = -1138764288, minDiff = 0
# seq[2] = 635657064, seq[3] = 3801944424, \
	actual diff = -1128679936, minDiff = 0
# seq[3] = 3801944424, seq[4] = 635657064, \
	actual diff = 1128679936, minDiff = 0
# seq[4] = 635657064, seq[5] = 635657064, \
	actual diff = 0, minDiff = 0
# seq[5] = 635657064, seq[6] = 3801944424, \
	actual diff = -1128679936, minDiff = 0
# seq[6] = 3801944424, seq[7] = 1956262121, \
	actual diff = -1845682303, minDiff = 0
# seq[7] = 1956262121, seq[8] = 2487285466, \
	actual diff = 531023345, minDiff = 0
# seq[8] = 2487285466, seq[9] = 2487285466, \
	actual diff = 0, minDiff = 0
# seq[9] = 2487285466, seq[10] = 4010195418, \
	actual diff = 1522909952, minDiff = 0
# seq[10] = 4010195418, seq[11] = 2050126938, \
	actual diff = -1960068480, minDiff = 0
# seq[11] = 2050126938, seq[12] = 2786214362, \
	actual diff = 736087424, minDiff = 0
# seq[12] = 2786214362, seq[13] = 315578330, \
	actual diff = 1824331264, minDiff = 0
# seq[13] = 315578330, seq[14] = 621582170, \
	actual diff = 306003840, minDiff = 0
# seq[14] = 621582170, seq[15] = 1847059930, \
	actual diff = 1225477760, minDiff = 0
# seq[15] = 1847059930, seq[16] = 1485862362, \
	actual diff = -361197568, minDiff = 0
# seq[16] = 1485862362, seq[17] = 224591066, \
	actual diff = -1261271296, minDiff = 0
# seq[17] = 224591066, seq[18] = 3847099610, \
	actual diff = -672458752, minDiff = 0
# seq[18] = 3847099610, seq[19] = 4249765210, \
	actual diff = 402665600, minDiff = 0
# seq[19] = 4249765210, seq[20] = 3617446746, \
	actual diff = -632318464, minDiff = 0
# seq[20] = 3617446746, seq[21] = 4032084826, \
	actual diff = 414638080, minDiff = 0
# seq[21] = 4032084826, seq[22] = 1794507994, \
	actual diff = 2057390464, minDiff = 0
# seq[22] = 1794507994, seq[23] = 246642906, \
	actual diff = -1547865088, minDiff = 0
# seq[23] = 246642906, seq[24] = 2681935194, \
	actual diff = -1859675008, minDiff = 0
# seq[24] = 2681935194, seq[25] = 578229210, \
	actual diff = -2103705984, minDiff = 0
# seq[25] = 578229210, seq[26] = 2399872858, \
	actual diff = 1821643648, minDiff = 0
# seq[26] = 2399872858, seq[27] = 2355487706, \
	actual diff = -44385152, minDiff = 0
# seq[27] = 2355487706, seq[28] = 1315568090, \
	actual diff = -1039919616, minDiff = 0
aaa.bbb.ccc.ddd: Minimum guess (SYN sent order): \
	2 out of 28 (7.143%)

-- 
***************************************************************************
* Matthias Schuendehuette	msch@snafu.de	      	 		  *
* Solmsstrasse 44							  *
* D-10961 Berlin		Engineering Systems Support and Operation *
* Germany		      	(Powered by FreeBSD 4.5-PRERELEASE)   	  *
***************************************************************************

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E16O2qF-0004KI-00>