Date: Fri, 16 Dec 2005 14:04:54 -0500 From: Mike Frantzen <frantzen@openbsd.org> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: very odd PF + FreeBSD6.0 problems Message-ID: <20051216190454.GF474@w4g.org> In-Reply-To: <20051216183447.GA14269@insomnia.benzedrine.cx> References: <20051216100915.73fef758.dokas@oitsec.umn.edu> <20051216183447.GA14269@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
> >From the logged values and the source code we can deduce that the last > two packets from the SSH server (that.host) to the client (this.host) > were seen (by pf, in the kernel) exactly > delta_ts.tv_sec == 120 > delta_ts.tv_usec == 82719 > apart. This approximately matches the difference in the bpf log, too. > So, between those two subsequent packets, the server incremented its > timestamp by > delta_tsval == 1424952994 - 1424712993 == 240001 > within the timespan of > delta_usec == 120 * 1000000 + 82719 == 2082719 > which means it incremented its timestamp with a frequency of about > ts_freq == 240001 / 2082719 usec ~= 115 kHz If I was to see this in the wild I would conclude it's a blind hijacking attempt. If a spoofer gets a packet inside the sequence window with a significantly higher timestamp then the victim will start ignoring the packets from the original host with the smaller timestamps. That lets the blind spoofer take over the TCP connection without the ACK storm that typically results from out-of-line hjiacking. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051216190454.GF474>