From owner-freebsd-pf@FreeBSD.ORG Fri Dec 16 19:05:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22D6516A42B for ; Fri, 16 Dec 2005 19:05:05 +0000 (GMT) (envelope-from frantzen@openbsd.org) Received: from vorlon.w4g.org (vorlon.w4g.org [144.202.240.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83D8C43D4C for ; Fri, 16 Dec 2005 19:05:04 +0000 (GMT) (envelope-from frantzen@openbsd.org) Received: from valen.localhost (localhost.w4g.org [127.0.0.1]) by vorlon.w4g.org (8.13.0/8.12.11) with ESMTP id jBGJ4t7H029650; Fri, 16 Dec 2005 14:04:55 -0500 (EST) Received: by valen.localhost (Postfix, from userid 501) id 21D271CD34E; Fri, 16 Dec 2005 14:04:55 -0500 (EST) Date: Fri, 16 Dec 2005 14:04:54 -0500 From: Mike Frantzen To: Daniel Hartmeier Message-ID: <20051216190454.GF474@w4g.org> References: <20051216100915.73fef758.dokas@oitsec.umn.edu> <20051216183447.GA14269@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051216183447.GA14269@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: very odd PF + FreeBSD6.0 problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2005 19:05:05 -0000 > >From the logged values and the source code we can deduce that the last > two packets from the SSH server (that.host) to the client (this.host) > were seen (by pf, in the kernel) exactly > delta_ts.tv_sec == 120 > delta_ts.tv_usec == 82719 > apart. This approximately matches the difference in the bpf log, too. > So, between those two subsequent packets, the server incremented its > timestamp by > delta_tsval == 1424952994 - 1424712993 == 240001 > within the timespan of > delta_usec == 120 * 1000000 + 82719 == 2082719 > which means it incremented its timestamp with a frequency of about > ts_freq == 240001 / 2082719 usec ~= 115 kHz If I was to see this in the wild I would conclude it's a blind hijacking attempt. If a spoofer gets a packet inside the sequence window with a significantly higher timestamp then the victim will start ignoring the packets from the original host with the smaller timestamps. That lets the blind spoofer take over the TCP connection without the ACK storm that typically results from out-of-line hjiacking. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28