Date: Thu, 23 May 1996 09:14:01 -0700 From: Paul Traina <pst@shockwave.com> To: Warner Losh <imp@village.org> Cc: Garrett Wollman <wollman@lcs.mit.edu>, Poul-Henning Kamp <phk@critter.tfs.com>, current@FreeBSD.ORG, blh@nol.net Subject: Re: freebsd + synfloods + ip spoofing Message-ID: <199605231614.JAA11431@precipice.shockwave.com> In-Reply-To: Your message of "Thu, 23 May 1996 08:59:48 MDT." <199605231459.IAA09701@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[ BHL, could you send me a copy of your tools or a URL so I can verify your test results and check the randomness? -- Paul] From: Warner Losh <imp@village.org> Subject: Re: freebsd + synfloods + ip spoofing : We're making tcp_iss random in tcp_init.c, but then manipulating it in : totally predictable ways. This is not random at all. The ISS needs to : be randomized on a PER tcp connection attempt. I realize that violates : RFC 793, but it has to be done. There was recently an RFC issued, as I'm sure you are aware, that suggests making the sequence number a random thing based on the MD-5 hash of the traditional TCP/IP 4-touple and some host private information (like output from /dev/random). Is that sufficient, or do sequence numbers need to be randomly jiggered more to prevent the attacks that are being whined, err ummm, talked about here? That offers no improvement over just randomization. Per attempt is easy to ramdomize w/o violating 793 since you still have 2^31 bits of randomness that you can use (since the original request partitions the space in 2). Even if you picked a more conservative figure, you can make it fairly hard to guess the next ISS w/o significantly impacting the ability of TCP to detect and discard stale packets. That's what the 4.4 code currently tries to do, which worries me that BHL claims it's so easy to guess FreeBSD's number. It spins the bottom 21 bits on a per-connection basis according to my reading of the code. However, the random number generator that we're using could be badly broken, which is why I want to get BHL's tools and verify his tests. Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605231614.JAA11431>