From owner-freebsd-security Tue Jan 8 12:28:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from clever.eusc.inter.net (clever.eusc.inter.net [213.73.101.4]) by hub.freebsd.org (Postfix) with ESMTP id D3AFF37B405; Tue, 8 Jan 2002 12:27:35 -0800 (PST) Received: from tc08-n66-183.de.inter.net ([213.73.66.183] helo=there) by clever.eusc.inter.net with smtp (Exim 3.22 #3) id 16O2qF-0004KI-00; Tue, 08 Jan 2002 21:27:27 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Matthias Schuendehuette Reply-To: msch@snafu.de Organization: Micro$oft-free Zone To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: TCP Sequence-Prediction (4.5-PRE) Date: Tue, 8 Jan 2002 21:27:01 +0100 X-Mailer: KMail [version 1.3.1] References: <20020107104258.Y23081-100000@crimelords.org> <20020107214128.A19265@net.tamu.edu> In-Reply-To: <20020107214128.A19265@net.tamu.edu> Cc: Peter.Sauerland@siemens.com MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everybody, Am Dienstag, 8. Januar 2002 04:41 schrieben Sie: > My experience with ISS is that it tends to report false positives > quite often. For example, we are still scratching our heads when it > reports ISS problems for an IRIX box running Apache. Now we have the ability to look a bit behind the scenes... I got the section of the Scan-Logfile, which concerns the TCP-Sequence Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning machine. I hope that some of the TCP/IP-Gurus will have a look on it and draw ( and let me/us know) a conclusion out of that. What I suppose to see are some irregular distributed right guesses of the TCP sequence number of which I really cannot imagine to create an exploit - but I'm all but a hacker :-) Anyway - I hope I could shed some light onto the problem... Ciao/BSD - Matthias vvvvvvvv --- ...and here the Log-file --- vvvvvvvv # Time Stamp(0x135):TCP sequence prediction aaa.bbb.ccc.ddd: \ (1010389926) Mon Jan 07 08:52:06 # TCP Sequence Prediction: Getting initial sampling of sequence numbers # TCP Sequence Prediction: Checking predicability on destination port 22 # In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \ seq: 2539010280(0x975638e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \ seq: 234368744(0xdf82ee8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \ seq: 234368744(0xdf82ee8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57028 \ seq: 2176714600(0x81be0768) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 72227304(0x44e19e8) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57023 \ seq: 3018759784(0xb3ee9e68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 1774421352(0x69c38568) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57026 \ seq: 4221300584(0xfb9bef68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 1774421352(0x69c38568) # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN packets were sent # seq[0] = 2539010280, seq[1] = 234368744, actual diff = 1990325760 # seq[1] = 234368744, seq[2] = 72227304, actual diff = -162141440 # seq[2] = 72227304, seq[3] = 1774421352, actual diff = 1702194048 # The most frequent difference is -162141440 which occurred 1 times # The minimum difference is -162141440 which occurred 1 times # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN/ACK packets were received # seq[0] = 2539010280, seq[1] = 234368744, actual diff = 1990325760 # seq[1] = 234368744, seq[2] = 234368744, actual diff = 0 # seq[2] = 234368744, seq[3] = 72227304, actual diff = -162141440 # seq[3] = 72227304, seq[4] = 72227304, actual diff = 0 # seq[4] = 72227304, seq[5] = 2176714600, actual diff = 2104487296 # seq[5] = 2176714600, seq[6] = 72227304, actual diff = -2104487296 # seq[6] = 72227304, seq[7] = 4221300584, actual diff = -145894016 # seq[7] = 4221300584, seq[8] = 72227304, actual diff = 145894016 # seq[8] = 72227304, seq[9] = 72227304, actual diff = 0 # seq[9] = 72227304, seq[10] = 4221300584, actual diff = -145894016 # seq[10] = 4221300584, seq[11] = 3018759784, actual diff = -1202540800 # seq[11] = 3018759784, seq[12] = 4221300584, actual diff = 1202540800 # seq[12] = 4221300584, seq[13] = 1774421352, actual diff = 1848088064 # seq[13] = 1774421352, seq[14] = 4221300584, actual diff = -1848088064 # seq[14] = 4221300584, seq[15] = 4221300584, actual diff = 0 # seq[15] = 4221300584, seq[16] = 1774421352, actual diff = 1848088064 # The most frequent difference is 0 which occurred 4 times # The minimum difference is 0 which occurred 4 times # TCP Sequence Prediction: Getting new sampling of sequence numbers \ for comparison # TCP Sequence Prediction: Checking predicability on destination port 22 # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 1774421352(0x69c38568) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \ seq: 3801944424(0xe29d1168) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 635657064(0x25e35b68) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \ seq: 3801944424(0xe29d1168) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57007 \ seq: 1956262121(0x749a30e9) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \ seq: 2487285466(0x9440f6da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57005 \ seq: 2487285466(0x9440f6da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57006 \ seq: 4010195418(0xef06b9da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57007 \ seq: 2050126938(0x7a32745a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57008 \ seq: 2786214362(0xa61241da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57009 \ seq: 315578330(0x12cf57da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57010 \ seq: 621582170(0x250c975a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ seq: 1847059930(0x6e17e5da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57012 \ seq: 1485862362(0x589075da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57013 \ seq: 224591066(0xd62fcda) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57014 \ seq: 3847099610(0xe54e14da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57015 \ seq: 4249765210(0xfd4e455a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57016 \ seq: 3617446746(0xd79ddb5a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57017 \ seq: 4032084826(0xf054bb5a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57018 \ seq: 1794507994(0x6af604da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57019 \ seq: 246642906(0xeb378da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57020 \ seq: 2681935194(0x9fdb155a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57021 \ seq: 578229210(0x227713da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57022 \ seq: 2399872858(0x8f0b275a) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57023 \ seq: 2355487706(0x8c65e3da) # In TCP packet src aabbccdd:22 dst wwxxyyzz 57024 \ seq: 1315568090(0x4e69f9da) # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN packets were sent # Guessing with most frequent difference -162141440 # seq[0] = 2487285466, seq[1] = 4010195418, \ actual diff = 1522909952, freqDiff = -162141440 # seq[1] = 4010195418, seq[2] = 2050126938, \ actual diff = -1960068480, freqDiff = -162141440 # seq[2] = 2050126938, seq[3] = 2786214362, \ actual diff = 736087424, freqDiff = -162141440 # seq[3] = 2786214362, seq[4] = 315578330, \ actual diff = 1824331264, freqDiff = -162141440 # seq[4] = 315578330, seq[5] = 621582170, \ actual diff = 306003840, freqDiff = -162141440 # seq[5] = 621582170, seq[6] = 1847059930, \ actual diff = 1225477760, freqDiff = -162141440 # seq[6] = 1847059930, seq[7] = 1485862362, \ actual diff = -361197568, freqDiff = -162141440 # seq[7] = 1485862362, seq[8] = 224591066, \ actual diff = -1261271296, freqDiff = -162141440 # seq[8] = 224591066, seq[9] = 3847099610, \ actual diff = -672458752, freqDiff = -162141440 # seq[9] = 3847099610, seq[10] = 4249765210, \ actual diff = 402665600, freqDiff = -162141440 # seq[10] = 4249765210, seq[11] = 3617446746, \ actual diff = -632318464, freqDiff = -162141440 # seq[11] = 3617446746, seq[12] = 4032084826, \ actual diff = 414638080, freqDiff = -162141440 # seq[12] = 4032084826, seq[13] = 1794507994, \ actual diff = 2057390464, freqDiff = -162141440 # seq[13] = 1794507994, seq[14] = 246642906, \ actual diff = -1547865088, freqDiff = -162141440 # seq[14] = 246642906, seq[15] = 2681935194, \ actual diff = -1859675008, freqDiff = -162141440 # seq[15] = 2681935194, seq[16] = 578229210, \ actual diff = -2103705984, freqDiff = -162141440 # seq[16] = 578229210, seq[17] = 2399872858, \ actual diff = 1821643648, freqDiff = -162141440 # seq[17] = 2399872858, seq[18] = 2355487706, \ actual diff = -44385152, freqDiff = -162141440 # seq[18] = 2355487706, seq[19] = 1315568090, \ actual diff = -1039919616, freqDiff = -162141440 aaa.bbb.ccc.ddd: Most frequent guess (SYN/ACK received order): \ 0 out of 19 (0.000%) # Guessing with minimum difference -162141440 # seq[0] = 2487285466, seq[1] = 4010195418, \ actual diff = 1522909952, minDiff = -162141440 # seq[1] = 4010195418, seq[2] = 2050126938, \ actual diff = -1960068480, minDiff = -162141440 # seq[2] = 2050126938, seq[3] = 2786214362, \ actual diff = 736087424, minDiff = -162141440 # seq[3] = 2786214362, seq[4] = 315578330, \ actual diff = 1824331264, minDiff = -162141440 # seq[4] = 315578330, seq[5] = 621582170, \ actual diff = 306003840, minDiff = -162141440 # seq[5] = 621582170, seq[6] = 1847059930, \ actual diff = 1225477760, minDiff = -162141440 # seq[6] = 1847059930, seq[7] = 1485862362, \ actual diff = -361197568, minDiff = -162141440 # seq[7] = 1485862362, seq[8] = 224591066, \ actual diff = -1261271296, minDiff = -162141440 # seq[8] = 224591066, seq[9] = 3847099610, \ actual diff = -672458752, minDiff = -162141440 # seq[9] = 3847099610, seq[10] = 4249765210, \ actual diff = 402665600, minDiff = -162141440 # seq[10] = 4249765210, seq[11] = 3617446746, \ actual diff = -632318464, minDiff = -162141440 # seq[11] = 3617446746, seq[12] = 4032084826, \ actual diff = 414638080, minDiff = -162141440 # seq[12] = 4032084826, seq[13] = 1794507994, \ actual diff = 2057390464, minDiff = -162141440 # seq[13] = 1794507994, seq[14] = 246642906, \ actual diff = -1547865088, minDiff = -162141440 # seq[14] = 246642906, seq[15] = 2681935194, \ actual diff = -1859675008, minDiff = -162141440 # seq[15] = 2681935194, seq[16] = 578229210, \ actual diff = -2103705984, minDiff = -162141440 # seq[16] = 578229210, seq[17] = 2399872858, \ actual diff = 1821643648, minDiff = -162141440 # seq[17] = 2399872858, seq[18] = 2355487706, \ actual diff = -44385152, minDiff = -162141440 # seq[18] = 2355487706, seq[19] = 1315568090, \ actual diff = -1039919616, minDiff = -162141440 aaa.bbb.ccc.ddd: Minimum guess (SYN/ACK received order): \ 0 out of 19 (0.000%) # TCP Sequence Prediction: Analyzing the sequence numbers \ by the order the SYN/ACK packets were received # Guessing with most frequent difference 0 # seq[0] = 635657064, seq[1] = 1774421352, \ actual diff = 1138764288, freqDiff = 0 # seq[1] = 1774421352, seq[2] = 635657064, \ actual diff = -1138764288, freqDiff = 0 # seq[2] = 635657064, seq[3] = 3801944424, \ actual diff = -1128679936, freqDiff = 0 # seq[3] = 3801944424, seq[4] = 635657064, \ actual diff = 1128679936, freqDiff = 0 # seq[4] = 635657064, seq[5] = 635657064, \ actual diff = 0, freqDiff = 0 # seq[5] = 635657064, seq[6] = 3801944424, \ actual diff = -1128679936, freqDiff = 0 # seq[6] = 3801944424, seq[7] = 1956262121, \ actual diff = -1845682303, freqDiff = 0 # seq[7] = 1956262121, seq[8] = 2487285466, \ actual diff = 531023345, freqDiff = 0 # seq[8] = 2487285466, seq[9] = 2487285466, \ actual diff = 0, freqDiff = 0 # seq[9] = 2487285466, seq[10] = 4010195418, \ actual diff = 1522909952, freqDiff = 0 # seq[10] = 4010195418, seq[11] = 2050126938, \ actual diff = -1960068480, freqDiff = 0 # seq[11] = 2050126938, seq[12] = 2786214362, \ actual diff = 736087424, freqDiff = 0 # seq[12] = 2786214362, seq[13] = 315578330, \ actual diff = 1824331264, freqDiff = 0 # seq[13] = 315578330, seq[14] = 621582170, \ actual diff = 306003840, freqDiff = 0 # seq[14] = 621582170, seq[15] = 1847059930, \ actual diff = 1225477760, freqDiff = 0 # seq[15] = 1847059930, seq[16] = 1485862362, \ actual diff = -361197568, freqDiff = 0 # seq[16] = 1485862362, seq[17] = 224591066, \ actual diff = -1261271296, freqDiff = 0 # seq[17] = 224591066, seq[18] = 3847099610, \ actual diff = -672458752, freqDiff = 0 # seq[18] = 3847099610, seq[19] = 4249765210, \ actual diff = 402665600, freqDiff = 0 # seq[19] = 4249765210, seq[20] = 3617446746, \ actual diff = -632318464, freqDiff = 0 # seq[20] = 3617446746, seq[21] = 4032084826, \ actual diff = 414638080, freqDiff = 0 # seq[21] = 4032084826, seq[22] = 1794507994, \ actual diff = 2057390464, freqDiff = 0 # seq[22] = 1794507994, seq[23] = 246642906, \ actual diff = -1547865088, freqDiff = 0 # seq[23] = 246642906, seq[24] = 2681935194, \ actual diff = -1859675008, freqDiff = 0 # seq[24] = 2681935194, seq[25] = 578229210, \ actual diff = -2103705984, freqDiff = 0 # seq[25] = 578229210, seq[26] = 2399872858, \ actual diff = 1821643648, freqDiff = 0 # seq[26] = 2399872858, seq[27] = 2355487706, \ actual diff = -44385152, freqDiff = 0 # seq[27] = 2355487706, seq[28] = 1315568090, \ actual diff = -1039919616, freqDiff = 0 aaa.bbb.ccc.ddd: Most frequent guess (SYN sent order): \ 2 out of 28 (7.143%) # Guessing with minimum difference 0 # seq[0] = 635657064, seq[1] = 1774421352, \ actual diff = 1138764288, minDiff = 0 # seq[1] = 1774421352, seq[2] = 635657064, \ actual diff = -1138764288, minDiff = 0 # seq[2] = 635657064, seq[3] = 3801944424, \ actual diff = -1128679936, minDiff = 0 # seq[3] = 3801944424, seq[4] = 635657064, \ actual diff = 1128679936, minDiff = 0 # seq[4] = 635657064, seq[5] = 635657064, \ actual diff = 0, minDiff = 0 # seq[5] = 635657064, seq[6] = 3801944424, \ actual diff = -1128679936, minDiff = 0 # seq[6] = 3801944424, seq[7] = 1956262121, \ actual diff = -1845682303, minDiff = 0 # seq[7] = 1956262121, seq[8] = 2487285466, \ actual diff = 531023345, minDiff = 0 # seq[8] = 2487285466, seq[9] = 2487285466, \ actual diff = 0, minDiff = 0 # seq[9] = 2487285466, seq[10] = 4010195418, \ actual diff = 1522909952, minDiff = 0 # seq[10] = 4010195418, seq[11] = 2050126938, \ actual diff = -1960068480, minDiff = 0 # seq[11] = 2050126938, seq[12] = 2786214362, \ actual diff = 736087424, minDiff = 0 # seq[12] = 2786214362, seq[13] = 315578330, \ actual diff = 1824331264, minDiff = 0 # seq[13] = 315578330, seq[14] = 621582170, \ actual diff = 306003840, minDiff = 0 # seq[14] = 621582170, seq[15] = 1847059930, \ actual diff = 1225477760, minDiff = 0 # seq[15] = 1847059930, seq[16] = 1485862362, \ actual diff = -361197568, minDiff = 0 # seq[16] = 1485862362, seq[17] = 224591066, \ actual diff = -1261271296, minDiff = 0 # seq[17] = 224591066, seq[18] = 3847099610, \ actual diff = -672458752, minDiff = 0 # seq[18] = 3847099610, seq[19] = 4249765210, \ actual diff = 402665600, minDiff = 0 # seq[19] = 4249765210, seq[20] = 3617446746, \ actual diff = -632318464, minDiff = 0 # seq[20] = 3617446746, seq[21] = 4032084826, \ actual diff = 414638080, minDiff = 0 # seq[21] = 4032084826, seq[22] = 1794507994, \ actual diff = 2057390464, minDiff = 0 # seq[22] = 1794507994, seq[23] = 246642906, \ actual diff = -1547865088, minDiff = 0 # seq[23] = 246642906, seq[24] = 2681935194, \ actual diff = -1859675008, minDiff = 0 # seq[24] = 2681935194, seq[25] = 578229210, \ actual diff = -2103705984, minDiff = 0 # seq[25] = 578229210, seq[26] = 2399872858, \ actual diff = 1821643648, minDiff = 0 # seq[26] = 2399872858, seq[27] = 2355487706, \ actual diff = -44385152, minDiff = 0 # seq[27] = 2355487706, seq[28] = 1315568090, \ actual diff = -1039919616, minDiff = 0 aaa.bbb.ccc.ddd: Minimum guess (SYN sent order): \ 2 out of 28 (7.143%) -- *************************************************************************** * Matthias Schuendehuette msch@snafu.de * * Solmsstrasse 44 * * D-10961 Berlin Engineering Systems Support and Operation * * Germany (Powered by FreeBSD 4.5-PRERELEASE) * *************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message