Date: Tue, 8 Jan 2002 15:16:53 +0000 (GMT) From: Mike Silbersack <silby@silby.com> To: Matthias Schuendehuette <msch@snafu.de> Cc: freebsd-stable@freebsd.org, <freebsd-security@freebsd.org>, <Peter.Sauerland@siemens.com> Subject: Re: TCP Sequence-Prediction (4.5-PRE) Message-ID: <20020108151125.S34973-100000@patrocles.silby.com> In-Reply-To: <E16O2qF-0004KI-00@clever.eusc.inter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 8 Jan 2002, Matthias Schuendehuette wrote: > Hello everybody, > > Am Dienstag, 8. Januar 2002 04:41 schrieben Sie: > > My experience with ISS is that it tends to report false positives > > quite often. For example, we are still scratching our heads when it > > reports ISS problems for an IRIX box running Apache. > > Now we have the ability to look a bit behind the scenes... > > I got the section of the Scan-Logfile, which concerns the TCP-Sequence > Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is > the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning > machine. > > I hope that some of the TCP/IP-Gurus will have a look on it and draw ( > and let me/us know) a conclusion out of that. > > What I suppose to see are some irregular distributed right guesses of > the TCP sequence number of which I really cannot imagine to create an > exploit - but I'm all but a hacker :-) I'm not really sure anything is wrong here. The duplicate sequence numbers you are seeing are due to the syn cookie code working as expected. While the values are duplicated for you, they should not be guessable by anyone else. If you'd like to go back to random ISNs, you can simply set net.inet.tcp.syncookies=0. Security is probably comparable in either case. So, ISS is right in that sequence numbers are repeating, but wrong in that they are predictable. The authors of ISS should probably sit down and try to modify their detection so that it detects RFC 1948 and syncookie generated sequence numbers as distinct from other classes. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020108151125.S34973-100000>