On Thu, 3 Sep 1998, Roy Hills wrote: > By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3 > increases the initial TCP sequence number by one every millisecond. > I think that this would be very difficult to exploit remotely > because the latency variations over an Internet connection are > generally much greater than a millisecond. I guess that it may > be possible to exploit over a LAN connection, but even then, I doubt > that it would be easy. It is very easy. Assume that you have a standard deviation of 3 in the sequence every 10 ms (Ivan Arce measured a stdev of 2.6942). This means that a single guessed sequence of 499, 500, or 501 has a ~68% (1 stdev) chance of being correct. Assuming you are guessing one every 10 ms, it would only take 3 tries (30 ms) for you to have a better than 90% chance of succeeding. The lesson is that low individual event probability doesn't mean much when you can repeat the attempt millions of times. With today's higher- speed networks, the rare becomes commonplace. A "collision" of DES-encrypted network traffic (with its 64 bit block size) will occur within a couple minutes on a 1gb/sec link. Ivan Arce wrote: >mean < 499.92> standard deviation (square) < 7.2588> That is the variance, s^2. (Perhaps you meant this by (square)). The standard deviation is s < 2.6942. Also, in situations like this, it would be best to use the step function since sequence numbers can only be integer values. -Nate
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:35 PDT