While NT 4 SP3 does have a pattern to it's initial TCP sequence numbers, my observations show this to be a "one-per-millisecond" seqence which is much less of a problem than the "64k increments" pattern exhibited by Borderware and HP-UX 10.x default configurations. With the "64k increments" pattern, the server's initial TCP sequence number is increased by 64,000 for each incoming connection and by 128,000 each second. These granularities of inbound connections and seconds are sufficiently course to make sequence number prediction trivial. By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3 increases the initial TCP sequence number by one every millisecond. I think that this would be very difficult to exploit remotely because the latency variations over an Internet connection are generally much greater than a millisecond. I guess that it may be possible to exploit over a LAN connection, but even then, I doubt that it would be easy. Has anyone actually seen or demonstrated a successful spoofing attack against NT 4 SP3 over an Internet connection? Roy Hills NTA Monitor At 22:14 02/09/98 +0200, Ulf Munkedal wrote: >This also applies to Firewall-1 on a Windows NT SP3. Vendor has been >notified some time ago. > >Like with HP-UX this is an NT problem, but one could argue that firewall >vendors should replace/strengthen the TCP/IP stack on that platform since >MS hasn't solved TCP seq prediction on NT and it has been known for quite >some time. SP3 helps but it doesn't solve the problem. > >Ulf -- Roy Hills Tel: 01634 721855 NTA Monitor Ltd FAX: 01634 721844 6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:52 PDT