On Thu, 3 Sep 1998, Roy Hills wrote: > While NT 4 SP3 does have a pattern to it's initial TCP sequence > numbers, my observations show this to be a "one-per-millisecond" > seqence which is much less of a problem than the "64k increments" > pattern exhibited by Borderware and HP-UX 10.x default configurations. > > With the "64k increments" pattern, the server's initial TCP sequence > number is increased by 64,000 for each incoming connection and by > 128,000 each second. These granularities of inbound connections and > seconds are sufficiently course to make sequence number prediction > trivial. > > By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3 > increases the initial TCP sequence number by one every millisecond. > I think that this would be very difficult to exploit remotely because the > latency variations over an Internet connection are generally much greater > than a millisecond. I guess that it may be possible to exploit over a LAN > connection, but even then, I doubt that it would be easy. > > Has anyone actually seen or demonstrated a successful spoofing > attack against NT 4 SP3 over an Internet connection? > > Roy Hills > NTA Monitor > Hmmm NT+SP3, Pentium 233Mhz How exploitable does this look: TCP Initial Sequence Numbers ###: Sequence Number RTT Difference ---: --------------- --------- ------------ 0 547735488 9 ms. 0 1 547735979 9 ms. 491 2 547736480 9 ms. 501 3 547736980 9 ms. 500 4 547737481 9 ms. 501 5 547737982 9 ms. 501 6 547738483 9 ms. 501 7 547738983 9 ms. 500 8 547739484 9 ms. 501 9 547739975 9 ms. 491 10 547740475 9 ms. 500 11 547740976 9 ms. 501 12 547741477 9 ms. 501 13 547741978 9 ms. 501 14 547742478 9 ms. 500 15 547742979 9 ms. 501 16 547743480 9 ms. 501 17 547743980 9 ms. 500 18 547744481 9 ms. 501 19 547744982 9 ms. 501 20 547745483 9 ms. 501 21 547745983 9 ms. 500 22 547746474 9 ms. 491 23 547746975 9 ms. 501 24 547747475 9 ms. 500 25 547747976 9 ms. 501 26 547748477 9 ms. 501 27 547748978 9 ms. 501 28 547749478 9 ms. 500 29 547749979 9 ms. 501 30 547750480 9 ms. 501 31 547750981 9 ms. 501 32 547751481 9 ms. 500 33 547751982 9 ms. 501 34 547752483 9 ms. 501 35 547752983 9 ms. 500 36 547753484 9 ms. 501 37 547753975 9 ms. 491 38 547754476 9 ms. 501 39 547754976 9 ms. 500 40 547755477 9 ms. 501 41 547755978 9 ms. 501 42 547756478 9 ms. 500 43 547756979 9 ms. 501 44 547757480 9 ms. 501 45 547757981 9 ms. 501 46 547758481 9 ms. 500 47 547758982 9 ms. 501 48 547759483 9 ms. 501 49 547759983 9 ms. 500 50 547760484 9 ms. 501 mean < 499.92> standard deviation (square) < 7.2588> ==============================[ CORE Seguridad de la Informacion S.A. ]======= Ivan Arce Gerencia de Tecnologia Email : ivan@core-sdi.com Av. Santa Fe 2861 5to C TE : +54-1-821-1030 CP 1425 FAX : +54-1-821-1030 Buenos Aires, Argentina Mensajeria: +54-1-317-4157 ==============================================================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:24 PDT