From owner-freebsd-security  Tue Jan  8 13:14:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from patrocles.silby.com (d140.as13.nwbl0.wi.voyager.net [169.207.136.206])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0301A37B41D; Tue,  8 Jan 2002 13:14:10 -0800 (PST)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.11.6/8.11.6) with ESMTP id g08FGrq35316;
	Tue, 8 Jan 2002 15:16:55 GMT
	(envelope-from silby@silby.com)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Tue, 8 Jan 2002 15:16:53 +0000 (GMT)
From: Mike Silbersack <silby@silby.com>
To: Matthias Schuendehuette <msch@snafu.de>
Cc: freebsd-stable@freebsd.org, <freebsd-security@freebsd.org>,
	<Peter.Sauerland@siemens.com>
Subject: Re: TCP Sequence-Prediction (4.5-PRE)
In-Reply-To: <E16O2qF-0004KI-00@clever.eusc.inter.net>
Message-ID: <20020108151125.S34973-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Tue, 8 Jan 2002, Matthias Schuendehuette wrote:

> Hello everybody,
>
> Am Dienstag, 8. Januar 2002 04:41 schrieben Sie:
> > My experience with ISS is that it tends to report false positives
> > quite often.  For example, we are still scratching our heads when it
> > reports ISS problems for an IRIX box running Apache.
>
> Now we have the ability to look a bit behind the scenes...
>
> I got the section of the Scan-Logfile, which concerns the TCP-Sequence
> Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is
> the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning
> machine.
>
> I hope that some of the TCP/IP-Gurus will have a look on it and draw (
> and let me/us know) a conclusion out of that.
>
> What I suppose to see are some irregular distributed right guesses of
> the TCP sequence number of which I really cannot imagine to create an
> exploit - but I'm all but a hacker :-)

I'm not really sure anything is wrong here.  The duplicate sequence
numbers you are seeing are due to the syn cookie code working as expected.
While the values are duplicated for you, they should not be guessable by
anyone else.

If you'd like to go back to random ISNs, you can simply set
net.inet.tcp.syncookies=0.  Security is probably comparable in either
case.

So, ISS is right in that sequence numbers are repeating, but wrong in that
they are predictable.  The authors of ISS should probably sit down and try
to modify their detection so that it detects RFC 1948 and syncookie
generated sequence numbers as distinct from other classes.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message