Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Jan 2002 12:19:41 -0600 (CST)
From:      Jonathan Lemon <jlemon@flugsvamp.com>
To:        msch@snafu.de, stable@freebsd.org
Subject:   Re: TCP Sequence-Prediction (4.5-PRE)
Message-ID:  <200201091819.g09IJf983514@prism.flugsvamp.com>
In-Reply-To: <local.mail.freebsd-stable/E16O2qF-0004KI-00@clever.eusc.inter.net>
References:  <local.mail.freebsd-stable/E16MX0z-0004sQ-00@clever.eusc.inter.net> <local.mail.freebsd-stable/20020107104258.Y23081-100000@crimelords.org> <local.mail.freebsd-stable/20020107214128.A19265@net.tamu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
In article <local.mail.freebsd-stable/E16O2qF-0004KI-00@clever.eusc.inter.net> you write:
>
>I got the section of the Scan-Logfile, which concerns the TCP-Sequence 
>Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is 
>the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning 
>machine.
>
>What I suppose to see are some irregular distributed right guesses of 
>the TCP sequence number of which I really cannot imagine to create an 
>exploit - but I'm all but a hacker :-)

># In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
>	seq: 72227304(0x44e19e8)
># In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \
>	seq: 72227304(0x44e19e8)

This is correct.  With 4.5-PRE (as with -current), by default all ISNs
are valid SYN cookies, rather than being random values.  What this means
in practical terms is that at any given time, the ISN is deterministic,
as it is essentially the output of a MD5 hash:

    ISN ~= MD5(srcIP, dstIP, srcPort, dstPort, random_value)

with the random_value being changed on a periodic basis.

However, this does not mean that the output is guessable.  AFAIK, there
is no way to reverse a MD5 hash, which means that there is no known
relationship between the ISNs generated by using different input values
to the MD5 function.  As there is also a random time-based component in
the hash, it should not be possible to brute force the hash either.

Basically ISS is wrong here if it claims that the sequence numbers 
are predictable.  However, if it makes you nervous, disabling syncookies
with 'net.inet.tcp.syncookies' will revert the ISS generation back to
the approach used in 4.3.
-- 
Jonathan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201091819.g09IJf983514>