Date: Wed, 9 Jan 2002 12:19:41 -0600 (CST) From: Jonathan Lemon <jlemon@flugsvamp.com> To: msch@snafu.de, stable@freebsd.org Subject: Re: TCP Sequence-Prediction (4.5-PRE) Message-ID: <200201091819.g09IJf983514@prism.flugsvamp.com> In-Reply-To: <local.mail.freebsd-stable/E16O2qF-0004KI-00@clever.eusc.inter.net> References: <local.mail.freebsd-stable/E16MX0z-0004sQ-00@clever.eusc.inter.net> <local.mail.freebsd-stable/20020107104258.Y23081-100000@crimelords.org> <local.mail.freebsd-stable/20020107214128.A19265@net.tamu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <local.mail.freebsd-stable/E16O2qF-0004KI-00@clever.eusc.inter.net> you write: > >I got the section of the Scan-Logfile, which concerns the TCP-Sequence >Prediction Test. I hope, it's anonymized enough - 'aaa.bbb.ccc.ddd' is >the FreeBSD 4.5-PRERELEASE Box and 'www.xxx.yyy.zzz' is the scanning >machine. > >What I suppose to see are some irregular distributed right guesses of >the TCP sequence number of which I really cannot imagine to create an >exploit - but I'm all but a hacker :-) ># In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ > seq: 72227304(0x44e19e8) ># In TCP packet src aabbccdd:22 dst wwxxyyzz 57011 \ > seq: 72227304(0x44e19e8) This is correct. With 4.5-PRE (as with -current), by default all ISNs are valid SYN cookies, rather than being random values. What this means in practical terms is that at any given time, the ISN is deterministic, as it is essentially the output of a MD5 hash: ISN ~= MD5(srcIP, dstIP, srcPort, dstPort, random_value) with the random_value being changed on a periodic basis. However, this does not mean that the output is guessable. AFAIK, there is no way to reverse a MD5 hash, which means that there is no known relationship between the ISNs generated by using different input values to the MD5 function. As there is also a random time-based component in the hash, it should not be possible to brute force the hash either. Basically ISS is wrong here if it claims that the sequence numbers are predictable. However, if it makes you nervous, disabling syncookies with 'net.inet.tcp.syncookies' will revert the ISS generation back to the approach used in 4.3. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201091819.g09IJf983514>