Re: Linux blind TCP spoofing, act II + others

From: David Wagner (dawat_private)
Date: Sat Aug 07 1999 - 09:58:10 PDT

Next message: Narr0w: "Crash FrontPage Remotely..."

Previous message: Scott Drassinower: "Re: FlowPoint DSL router vulnerability"
Maybe in reply to: Nergal: "Linux blind TCP spoofing, act II + others"
Next in thread: Salvatore Sanfilippo -antirez-: "Re: Linux blind TCP spoofing, act II + others"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <19990806123911.A1147at_private>,
Salvatore Sanfilippo -antirez-  <antirezat_private> wrote:
> 	i think that a consecutive IP id now can be considered
> 	a weakness in IP stacks. [...] Here is a patch for
> 	linux 2.0.36 [...] 'Truly random id' [...]

Your patch isn't secure.  It uses a weak pseudo-random number
generator to generate id's, and an attacker can just crack the
PRNG to predict what id's will be used in the future.

I think you probably want to use /dev/urandom to generate your
IP id's, to prevent this attack.  (Or use a variant of Bellovin's
RFC 1948, adapted to generate IP id's instead of TCP ISN's.)

Next message: Narr0w: "Crash FrontPage Remotely..."
Previous message: Scott Drassinower: "Re: FlowPoint DSL router vulnerability"
Maybe in reply to: Nergal: "Linux blind TCP spoofing, act II + others"
Next in thread: Salvatore Sanfilippo -antirez-: "Re: Linux blind TCP spoofing, act II + others"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:46 PDT