[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] Re: [lwip] TCP sequence number attacks
From: |
John C. Toman |
Subject: |
[lwip-users] Re: [lwip] TCP sequence number attacks |
Date: |
Thu, 09 Jan 2003 00:34:22 -0000 |
An analysis of TCP ISN algorithms in use today is at:
http://razor.bindview.com/publish/papers/tcpseq.html
The main focus of the analysis is vulnerability to spoofing. The paper
does not necessarily advocate RFC1948-based hashing as the answer, but
the RFC-1948-based algorithms (linux and OpenBSD) fared well. It also
contains analysis of DNS sequence numbers, which in general are (gulp!)
even more vulnerable.
John
Adam Dunkels wrote:
>On Fri, 2002-08-16 at 22:56, Paul Sheer wrote:
>
>
>>>The right way to solve it isn't just to do iss = random(), though. I
>>>
>>>
>>it is with PaulOS, because PaulOS random() is secure
>>
>>
>
>The problem isn't with the randomness, but with the probability for
>hitting "old" sequence numbers that have been used recently. Here is
>what RFC1948 says:
>
> The choice of initial sequence numbers for a connection is not
> random. Rather, it must be chosen so as to minimize the probability
> of old stale packets being accepted by new incarnations of the same
> connection [6, Appendix A]. Furthermore, implementations of TCP
> derived from 4.2BSD contain special code to deal with such
> reincarnations when the server end of the original connection is
> still in TIMEWAIT state [7, pp. 945]. Accordingly, simple
> randomization, as suggested in [8], will not work well.
>
>/adam
>
>
[This message was sent through the lwip discussion list.]
- [lwip-users] Re: [lwip] TCP sequence number attacks, John C. Toman, 2003/01/08
- [lwip-users] Re: [lwip] TCP sequence number attacks, Adam Dunkels, 2003/01/08
- [lwip-users] Re: [lwip] TCP sequence number attacks, Paul Sheer, 2003/01/08
- [lwip-users] Re: [lwip] TCP sequence number attacks, Adam Dunkels, 2003/01/09
- [lwip-users] Re: [lwip] TCP sequence number attacks, Adam Dunkels, 2003/01/09
- [lwip-users] Re: [lwip] TCP sequence number attacks,
John C. Toman <=
- [lwip-users] Re: [lwip] TCP sequence number attacks, Adam Dunkels, 2003/01/09
- [lwip-users] Re: [lwip] TCP sequence number attacks, Paul Sheer, 2003/01/09