Re: NT Predictable Initial TCP Sequence numbers - changes

From: Deri Jones (bugtraq-l@NTA-MONITOR.COM)
Date: Thu Aug 26 1999 - 01:58:08 PDT

Next message: Alan Cox: "Re: your mail"

Previous message: vendicatorat_private: "Stack Shield: defending from "stack smashing" attacks"
Next in thread: Luigi Mori: "Re: NT Predictable Initial TCP Sequence numbers - changes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft have now confirmed the problem:
-----------------------------------------

From: Sunil Gopal
To: Roy Hills <Roy.Hills@nta-monitor.com>
Subject: RE: NT 4.0 SP4 predictable initial TCP sequence numbers
Date: Tue, 24 Aug 1999 04:20:56 -0700

Hi Roy,

Sorry about the silence...

Though the TCP sequence generation pattern changes made to TCPIP.SYS for SP4
are an improvement, I have been informed that this has been resolved in
Windows 2000 and will be "back ported" to NT 4.0 in a future SP release. The
issue remains open and is being worked on....

We are trying to get escalate this further and get it into the HOTFIX
schedule and hope to make it available to xxx ASAP.

Hope this helps...

Thanks and Regards,

Sunil Gopal, MCSE
Technical Specialist/Systems Engineer
mailto:sunilgat_private

"Enable people to do anything they want, anytime they want, anywhere they
want, on any device."
____________________________________________________________________________
_________________

 -----Original Message-----
From: 	Roy Hills [mailto:Roy.Hills@nta-monitor.com]
Sent:	Tuesday, August 24, 1999 12:54 PM
To:	Sunil Gopal
Subject:	NT 4.0 SP4 predictable initial TCP sequence numbers

Folks,

I've not heard back from Microsoft yet regarding the new predictable
initial TCP sequence pattern in NT 4.0 SP4, so I've done some more
research on the testbench to gain a better understanding of what's going on.

It looks like the differences between initial TCP sequence numbers is always
between 0 and 14 and is always an even number - i.e. 0,2,4,8,10,12 or 14.

>From a sample of 5,000 initial sequence numbers - i.e. 4,999 difference
pairs - I get the following distribution:

Sequence	Number
Difference	of occurrences
--------------	---------------------
0		648
2		584
4		608
6		660
8		602
10		666
12		641
14		590

I've also tested systems at different rates from one connection every
20ms to one connection per second, and the pattern remains the same.
So it's not time-related like the old SP3 behaviour.

I'm going to post my finding to a couple of security mailing lists
to share this information with the security community.  Obviously
I won't mention any names!  I'll send you a copy of my posting to
keep you informed of progress.

Regards,

Roy Hills
NTA Monitor Ltd
--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
6 Beaufort Court, Medway City Estate,        Email:
Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK                  WWW:
http://www.nta-monitor.com/

Next message: Alan Cox: "Re: your mail"
Previous message: vendicatorat_private: "Stack Shield: defending from "stack smashing" attacks"
Next in thread: Luigi Mori: "Re: NT Predictable Initial TCP Sequence numbers - changes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:58 PDT