Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TCP/IP Sequence Number Analysis

michael posted more than 11 years ago | from the you-don't-have-to-be-a-kreskin-to-predict-this dept.

Security 229

johnwbyrd writes "Upon connection via TCP/IP to a host, the host generates an Initial Sequence Number (ISN). It's important to design ISN generation sequences so remote attackers can't predict an ISN (this is called a "blind spoofing" attack). Using phase space analysis you can check the quality of ISNs generated on various OSes. Windows 98's graph is quite pretty."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


:-o (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3795451)


Re::-o (-1, Troll)

LinuxIsDyingGuy (588455) | more than 11 years ago | (#3795499)

It is official; Netcraft confirms: *The Who is ying

One more crippling bombshell hit the already beleaguered Who community when Yahoo! confirmed that a Who musician has dropped yet again, now they are down to less than a fraction of 66% percent of all members. Coming on the heels of a recent Netcraft survey which plainly states that The Who has lost more band members, this news serves to reinforce what we've known all along. The Whoe is collapsing in complete disarray, as fittingly exemplified by coming dead last [yahoo.com] in the recent MTV comprehensive music test.

You don't need to be a Kreskin [amdest.com] to predict The Who's future. The hand writing is on the wall: The Who face a bleak future. In fact there won't be any future at all for The Who because The Who is dying. Things are looking very bad for The Who. As many of us are already aware, The Who continues to lose market share. Blood flows like a river of red ink.

Who member "Ox" is the most endangered of them all, having lost 26% of his body to decomposition. The sudden and unpleasant departures of long time The Who member "Ox" only serves to underscore the point more clearly. There can no longer be any doubt: The Who is dying.

Let's keep to the facts and look at the numbers.

Who leader Roger Daltrey states that there are 7000 fans of The Who. How many fans of "Ox" were there? Let's see. The number of Who versus "Ox" posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 "Ox" fans. The Who posts on Usenet are about half of the volume of Elvis posts. Therefore there are about 700 fans of The Who. A recent article put The Who at about 60 percent alive. Therefore there are now (7000+1400+700)*4 = 36400 The Who fans. This is consistent with the number of Who Usenet posts.

Due to the troubles of the music business, abysmal sales and so on, The Who went out of existance and was taken over by MCA Records who sells more troubled BS. Now MCA Records is also dead, its corpse turned over to yet another charnel house.

All majr surveys show that The Who has steadily declined in market share. The Who is very sick and its long term survival prospects are very dim. If The Who is to survive at ll it will be among music dilettante dabblers. The Who continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, The Who is dead.

Fact: The Who is ying

First Spanish Post (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3795456)

Pues eso ;)

Already Slashdotted.... (0, Offtopic)

cybermace5 (446439) | more than 11 years ago | (#3795469)

...at ~4 comments!

I think that's a new record low.

Re:Already Slashdotted.... (1, Offtopic)

lostchicken (226656) | more than 11 years ago | (#3795534)

Why doesn't Slashdot cache pages, images and linked pages (and their images) 1 level deep before posting a link?

I know this isn't really quite on (this) topic, and it has been said before, but the /. effect is getting stronger than ever. I just hope none of these sites pay for bandwidth.

This /.ing fix could be easily done, just put the code into slash, do it on the fly.

Re:Already Slashdotted.... (2)

zulux (112259) | more than 11 years ago | (#3795741)

There are two reasons why Slashdot doesen't cache liked pages:

1) I could very well be illegal without obtaing permission from a human. This would take too much time away from CmdrTaco adding spelling errors to my posts.

2) It would costs money in bandwidth costs. VA Software coporate officers love to roll naked in freshly minted $1 bills, and this would take away from their stash. Then only, one officer could roll at a time. Not a happy thing.

Re:Already Slashdotted.... (2)

treat (84622) | more than 11 years ago | (#3795952)

1) I could very well be illegal without obtaing permission from a human. This would take too much time away from CmdrTaco adding spelling errors to my posts.

Obviously this is not the case, or Google and other businesses that are caching web sites would be out of business by now. Caching web proxies would not be so common, instead we have never heard of a legal attack against a caching web proxy. This excuse is without merit.

The FAQ also gives this as a reason:

But what happens if I cache the site, and they update themselves? Once again, I'm transmitting data that I shouldn't be, only this time my cache is out of date!

But this is such an easily solved problem, this must also be a dishonest excuse. Even updating the cache once per minute would not unduly load the victim sites. Using standard proxy software like Squid would completely solve this problem.

So the quick answer is: "Sure, caching would be neat." It would make things a lot easier when servers go down, but it's a complicated issue that would need to be thought through in great detail before being implemented.

Answered by: CmdrTaco
Last Modified: 6/14/00

Surely in the 2 years since this question has been answered, CmdrTaco has had time to work on the solution to this. This is his full time job. Not much effort is being spent on the development of the software that runs the site, and certainly with the number of editors and how sloppily it is done, this can not be taking more than an hour per day per editor, if that. There is no original content, it is all submitted. As a LNUX shareholder, I wonder what these guys really do all day.

Re:Already Slashdotted.... (5, Informative)

joshv (13017) | more than 11 years ago | (#3795556)

Yeah, the bozos that created page put the entire report, with some 40-50 embedded images on one page. So everyone that hits the things tries to pull down many megs if image files all at once.

To summarized the report. Unpatched versions of NT4 and Windows 95/98SE are the most vunerable to spoofing attacks because of predictable patterns, or attractors, in the sequence produced by the random number generator used for ISNs. Linux,OpenBSD and FreeBSD scored near the top, though the report says there is room for improvement. Windows 2000, MacOSX, IRIX and BSDI were in the middle of the pack. HPUX and AIX were just as bad as windows 98.

So we have out prototypical 'windows less secure than linux' submission and the slashdotters are happy :)


How did mac classic score? (0)

Anonymous Coward | more than 11 years ago | (#3795642)

--I'm intered in this, although this sort of tech is not my forte, I just had such SUPER good fortune with mac classic over the years as regards "security" in general. As in "never got hacked or any virus never ever in many years on the net with a default install" of mac classic.

caveat, ONE time I got a virus that was easy to get rid of. It was my fault, I stuck in a floppy with some small progs on it that someone gave me. prog included some virus. duh, my bad for l7m3n355 But that's IT. years and years.

Re:How did mac classic score? (2)

GutBomb (541585) | more than 11 years ago | (#3795817)

the reason you had a relatively easy time with the mac is not because of it's security. it 's because of it's relative obscurity. people don't find it worthwhile to hack a mac, don't know how, and don't care to... etc. Things might change now that the hacking methods are a little closer than they used to be (now 30 years of unix hacking knowledge may be applied) however, MacOS classic wasn't even included in teh final score (the little rainbow graphic) for some reason, however they do state in the text that MacOS X scored a little higher than it. Take that as you will.

Re:Already Slashdotted.... (1)

56ker (566853) | more than 11 years ago | (#3795576)

It's running Microsoft-IIS/4.0 on NT4/Windows 98 - so what do you expect?

Re:Already Slashdotted.... (0)

Anonymous Coward | more than 11 years ago | (#3795629)

it is running apache on sol according to netcraft

It looks like... (-1, Offtopic)

JanusFury (452699) | more than 11 years ago | (#3795470)

That graph looks like Tux the penguin! Perhaps microsoft is trying to say something?

Actually, is it just me or is the site ALREADY slashdotted?

why is it (-1, Offtopic)

savbill (583728) | more than 11 years ago | (#3795479)

that windows is always mentioned here? windows sucks, period. anyone using macosx? i like the commercials. linux of course is on my home box. why the fuck is windows even mentioned here? windows sucks. everyone knows that. also michael sucks dried castrated dog dicks.

Re:why is it (1)

PsychoSlashDot (207849) | more than 11 years ago | (#3795490)

Maybe because it's the OS family used by the vast majority of people, regardless of suckage?

Re:why is it (-1, Offtopic)

miffo.swe (547642) | more than 11 years ago | (#3795528)

Because they suck hard and are a monopoly thus forcing many of us that DONT want to be near it to use it anyway? I am forced to use it as long as i dont change profession and become a kindergarten teacher or something (the kids are easier to talk to than the MS reps. btw)

Re:why is it (1, Troll)

danheskett (178529) | more than 11 years ago | (#3795566)

Because they suck hard and are a monopoly thus forcing many of us that DONT want to be near it to use it anyway? I am forced to use it as long as i dont change profession and become a kindergarten teacher or something (the kids are easier to talk to than the MS reps. btw

Ohh, friggin' wah. The MAN is forcing you.. its NOT YOUR FAULT you're a corporate bitch.. its NOT YOUR FAULT the man can push you around.

Why not start looking for a better job instead of bitching and whinning on slashdot all day.

Re:why is it (-1, Troll)

Anonymous Coward | more than 11 years ago | (#3795592)

Why don't you crawl back to Redmond and suck Bill and Steve's cocks and quit trolling Slashdot, you Mickey-soft Whore?

Google cache saves the day (0, Redundant)

Jesus IS the Devil (317662) | more than 11 years ago | (#3795481)

I can't get in and there's only like 6 comments! Can't believe this.

No worries. Google cache saves the day: C: razor.bindview.com/publish/papers/tcpseq.html+&hl= en&ie=UTF-8

There are links in the article. Just change the url in the google cache address accordingly and voila!

Re:Google cache saves the day (1)

JanusFury (452699) | more than 11 years ago | (#3795486)

You know you can't copy-and-paste google cache links, right? That one doesn't work, at least, and it's never worked for me.

Re:Google cache saves the day (1)

Jesus IS the Devil (317662) | more than 11 years ago | (#3795508)

Oops didn't know that. My first time giving this advice. Well for everyone, just goto www.google.com and type in the address:

http://razor.bindview.com/publish/papers/tcpseq. ht ml

Then just click on the "Cached" link in the results page.

Re:Google cache saves the day (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3795511)

It's the ASCII goatse.cx lameness filter screwing up the URL..remove the space in the URL.

Re:Google cache saves the day (0)

Anonymous Coward | more than 11 years ago | (#3795513)

You need to remove any spaces from where lines wrap and it will work. Works for me.


Re:Google cache saves the day (2)

autocracy (192714) | more than 11 years ago | (#3795746)

You have to remove the spaces that slashdot puts in because some genious months ago figured out this thing called a "page-widening post." About the most annoying thing I've ever seen, really.

Re:Google cache saves the day (2)

GutBomb (541585) | more than 11 years ago | (#3795849)

and even though they put in the spaces, there are still page widening posts. ever browse at -1?

Re:Google cache saves the day [ the correct link ] (2, Redundant)

hyyx (447405) | more than 11 years ago | (#3795502)

Google cache of the page (0)

Anonymous Coward | more than 11 years ago | (#3795482)

Click here [] . Of course, it won't have all the pretty pictures, but you'll get the idea.

Must be Sunday (2, Informative)

Anonymous Coward | more than 11 years ago | (#3795489)

Let's see. Mitnick used this what, 8 years ago now? That's how he got into that guy's login session that was pre-existing between the two machines, or something to that effect.

Plus, various folks were using this on big IRC networks after that, but still many years ago.
That "emmanuel-" in #2600 that says he gave the subscription list to the FBI and ran over Walter was a spoof. So was billg in #windows95. That's just the tip of the iceberg.

Everything old is new again.

Re:Must be Sunday (0)

Anonymous Coward | more than 11 years ago | (#3795659)

> Everything old is new again.

so they knew 8 years ago that windows nt tcp/ip sucks? wow

slashdotted (0)

lethalwp (583503) | more than 11 years ago | (#3795493)

that one appears to be already /.ted

you can get a copy in google's cache:

http://www.google.be/search?q=cache:sJUlrsbgsJ4C :r azor.bindview.com/publish/papers/tcpseq.html+&hl=e n&ie=UTF-8

duh (0)

Anonymous Coward | more than 11 years ago | (#3795509)

Slashdot is pretty fast. When was it published and hit BUGTRAQ, one year ago?

old news (1, Informative)

Anonymous Coward | more than 11 years ago | (#3795507)

wasn't this already posted here like a year ago?

TCP/IP Sequence Number Analysis (0)

Anonymous Coward | more than 11 years ago | (#3795515)

This is the main reason Dept of Defense said windows cannot be secured.It's a sad story. Maybe people will not be so open minded about windows anymore and realize they don't understand security, or if they do they work for the hackers/crackers. At least by action.

Re:TCP/IP Sequence Number Analysis (2)

Bastian (66383) | more than 11 years ago | (#3795613)

More than that, this is a good reason why having only one major OS cannot be secure. If you can write an extremely good sequence number predictor for Windows 2000 sessions and get yourself a few nice deer stands on the periphery of the backbone (or heck, in the backbone - I'm not sure how feasible that is), you can 0wn the majority of corporations you're interested in attacking.

Personally, I think Bush's Department of Homeland Defense is going to be a complete crock if nothing is done about this and other computer security issues. I can't figure out if none of Dubya's advisors understand computers or if they are so full of it as to actually think, for whatever reason, that nobody would ever attack the US electronically. I have a feeling it's the latter being caused by the former, though. . .

Hmm. (1)

mindstrm (20013) | more than 11 years ago | (#3795525)

Keep in mind it's still remarkably hard to spoof with each successive packet, even if you can predict sequence numbers.

The first is easy, the second likey, the third less likely, and so on. Spoofing a long conversation would be very difficult, if not practically impossible.

Re:Hmm. (3, Insightful)

GigsVT (208848) | more than 11 years ago | (#3795656)

echo r00t::0:0:0wned:/root:/bin/bash fits in one packet.

Food for thought.

Re:Hmm. (2)

treat (84622) | more than 11 years ago | (#3795906)

Keep in mind it's still remarkably hard to spoof with each successive packet, even if you can predict sequence numbers.

No. You are completely and totally wrong. The only hard part is predicting the initial sequence number. For each successive packet, the only problem is guessing how much data was sent so that you can ack it and not end up closing the window. In practice, this is easy, as the amount of data that was sent should be predictable within a narrow range, and it is safe to send multiple guesses.

I want purty picatures! (0)

spammeister (586331) | more than 11 years ago | (#3795527)

I guess the pix don't work cuz they wern't cached. Oh well. I bet it looks nice regardless. What we need a a DL so we can see if there is any "Ghost in the Machine" in our comp when it gets analyzed.

For those wondering how insecure Microsoft is ... (1, Informative)

NASAKnight (588155) | more than 11 years ago | (#3795530)

Windows NT4 SP3
Attack feasibility: 97.00%

Operating system: Windows 98 SE
Attack feasibility: 100.00%

Operating system: Windows 95
Attack feasibility: 100.00%

Re:For those wondering how insecure Microsoft is . (5, Insightful)

danheskett (178529) | more than 11 years ago | (#3795554)

Odd how you didnt point out the glaring insecurities in the other operating systems from non-MS vendors (Unix no less):

AIX 4.3 Attack feasibility: 100%

Attack feasibility: 100%

Solaris 7
Attack feasability: 66.00%

MacOS 9
Attack feasability: 89.00%

And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.

But, no, I guess its more fun to take a serious problem with TCP implementations across many problems, single out a vendor from nearly a dozen sloppy vendors, and try to make it seem like its all on them. Thats much better, right?

Re:For those wondering how insecure Microsoft is . (0)

Anonymous Coward | more than 11 years ago | (#3795583)

yah because none of us know how easy it is to hack a windows box.

Thanks for pointing out something NONE of us realized already.

"For those wondering how insecure Microsoft is," please thank the troll above.

Re:For those wondering how insecure Microsoft is . (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#3795660)

And you failed to point out that the open source solutions are best.

How's that sharp stick in the eye feel, you spunk-swallowing graduate of Moe and Curly's Software Emporium?

Re:For those wondering how insecure Microsoft is . (2, Informative)

fyonn (115426) | more than 11 years ago | (#3795683)

And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.

well, to be honest, it's not the most uptodate thing in the world. the freebsd tested was 4.2. and there have been significant improvements in tcp sequencing since then (being as we're at 4.6 now) and there is even a kernel compilation flag for random sequences.

so it's probably a year out of date, don't feel so singled out


Re:For those wondering how insecure Microsoft is . (1)

Querty (1128) | more than 11 years ago | (#3795711)

He didn't say insecure, but just that win98 makes a pretty graph...

And it does, really! (Although I think Cisco IOS 12.0 makes an even prettyer one).

Relax Bill, we're not out to get you....

Re:For those wondering how insecure Microsoft is . (5, Interesting)

FreeUser (11483) | more than 11 years ago | (#3795737)

And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.

You mean, like this improvement?

Windows 95 sequence numbers are very weak. But it is really difficult to understand is why this algorithm was further "weakened" in Windows 98 (SE), decreasing estimated error and number of elements required to get the right guess, in average, 99.488%.

Seriously, the post was entitled "for those wondering how insecure Microsoft is", not "for those wondering how Microsoft stacks up against other systems" which, as you point out, would indicate that consumer OSes are pathetic, while 'professional' OSes like NT and 2000 are making modest improvements, and that while the *BSDs are pretty good, and GNU/Linux quite good, there are plenty of older UNIX implimentations that were quite poor, and even pathetic, as well, not to mention CISCO, which makes up much of the internet backbone.

But, since Microsoft is conducting a wholesale attack on our very freedom of choice through it Palladium and DRM efforts, pointing out additional, purely technical reasons for moving away from Microsoft to *BSD and GNU/Linux alternatives and thereby protecting your security as well as your freedom isn't such an ignoble thing to be doing at all.

Re:For those wondering how insecure Microsoft is . (0)

Anonymous Coward | more than 11 years ago | (#3795839)

The point is thought that this is a larger issue than a single isse: major operating systems, as well as "consumer" versions (aka Windows) are not doing well in this regaurd. Furthermore, all kinds of embedded "smart" devices use NO randomness at all.

Just trolling and pointing out that outdated unsupported versions of Windows have extremely insecure ISN generation is a waste of time.

Re:For those wondering how insecure Microsoft is . (0)

Anonymous Coward | more than 11 years ago | (#3795885)

The thing I don't understand is... why do people continue to compare nowadays linux (or IRIX, Solaris, *BSD) etc... to things like Win98, which is _over 4 years_ old by now... Shouldn't we compare to things like XP (which is the replacement Windows for both the DOS^H^H^HWin9x/ME line and NT/2k) instead?

Just my 2 eurocents

Re:For those wondering how insecure Microsoft is . (0)

Anonymous Coward | more than 11 years ago | (#3795755)

Mac OS 9 is a Unix?

Those bastards didn't tell us!!@!

Re:For those wondering how insecure Microsoft is . (1)

ealar dlanvuli (523604) | more than 11 years ago | (#3795900)

And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.

So your saying when they ganked the FreeBSD network stack w/o even a tip of the hat, they improved thier non-existant security?

Wow, who'da thunk.

Re:For those wondering how insecure Microsoft is . (2)

zulux (112259) | more than 11 years ago | (#3795912)

Actually this is a case of "You Get What You Don't Pay For" -

HPUX, Windows and AIX are all expensive and suck.

Linux, OpenBSD, FreeBSD are all free and work wonderfully.

So in this case, your level of protection is determined by your inteligence and not by the amount of money you sepend.

Re:For those wondering how insecure Microsoft is . (1)

zrodney (253699) | more than 11 years ago | (#3795951)

what a lame job of baiting... better, right?

are there 100s of thousands of old windows boxes
with lame tcp/ip or are people running hpux on
their dsl and cable modem boxes now?

That's strange (2, Insightful)

gazbo (517111) | more than 11 years ago | (#3795563)

When I read it they appear to have published the results to more recent Windows versions as well. You know, the more up to date NT versions, and 2k.

I wonder how it came to be that you didn't publish the only meaningful indications of Microsoft's security? Oh, I know. It's because they are about 1/6th as bad as the outdated versions you impartially decided to cite.

Re:That's strange (1)

Arthur Dent 75 (221061) | more than 11 years ago | (#3795794)

This could be because the linked report is dated "19 March - 21 April, 2001". This is not news, it's olds.

Re:That's strange (1)

gazbo (517111) | more than 11 years ago | (#3795937)

No, rtfa. There are entries for 2k and for more up-to-date NT versons. That is what makes the OP such a wanker - he deliberately ignored the pertinent information in order to demonstrate how insecure Microsoft is.

Re:For those wondering how insecure Microsoft is . (2)

mindstrm (20013) | more than 11 years ago | (#3795567)

Only a use of this attack is to get around IP filters, or to hide the origin of a communication.
And you can't receive data.

So attack is feasible.. but not that useful.

Re:For those wondering how insecure Microsoft is . (0)

Anonymous Coward | more than 11 years ago | (#3795595)

it is not the only use. read carefully.

Old News (0)

Anonymous Coward | more than 11 years ago | (#3795544)

This is terribly old news. Most people in a security role have aware of sequence number prediction and attacks based on them for years, if not decades.

Re:Old News (0)

Anonymous Coward | more than 11 years ago | (#3795579)

While this publication is indeed old, I do not think it is just a restatement of the old problem. IMHO it is a decent and up-to-date analysis with an innovative approach.

mirror (2, Informative)

iamroot (319400) | more than 11 years ago | (#3795555)

Ok, I've mirrored the HTML and most of the images(still downloading) HERE [luminousdata.com] . Please only download this to mirror it! My bandwidth is limited!

Images at the Wayback Machine. (4, Informative)

ahaning (108463) | more than 11 years ago | (#3795565)

http://web.archive.org/web/20010605064202/http://r azor.bindview.com/publish/papers/tcpseq/funct.jpg
http://web.archive.org/web/20010605044549/http:// r azor.bindview.com/publish/papers/tcpseq/mix.jpg
h ttp://web.archive.org/web/20010605045958/http://r azor.bindview.com/publish/papers/tcpseq/mix2.jpg
http://web.archive.org/web/20010605035655/http://r azor.bindview.com/publish/papers/tcpseq/linux.jpg
http://web.archive.org/web/20010605064823/http:// r azor.bindview.com/publish/papers/tcpseq/win2k.jpg
http://web.archive.org/web/20010605040907/http:// r azor.bindview.com/publish/papers/tcpseq/winnt.jpg
http://web.archive.org/web/20010605070134/http:// r azor.bindview.com/publish/papers/tcpseq/win95.jpg
http://web.archive.org/web/20010824220456/http:// r azor.bindview.com/publish/papers/tcpseq/win98.jpg
http://web.archive.org/web/20010605051434/http:// r azor.bindview.com/publish/papers/tcpseq/cisco2.jpg
http://web.archive.org/web/20010828165152/http:/ /r azor.bindview.com/publish/papers/tcpseq/cisco.jpg
http://web.archive.org/web/20010604211355/http:// r azor.bindview.com/publish/papers/tcpseq/aix.jpg
h ttp://web.archive.org/web/20010605063344/http://r azor.bindview.com/publish/papers/tcpseq/freebsd.jp g
http://web.archive.org/web/20010605052241/http: //r azor.bindview.com/publish/papers/tcpseq/openbsd.jp g
http://web.archive.org/web/20010605050747/http: //r azor.bindview.com/publish/papers/tcpseq/obsdnew.jp g
http://web.archive.org/web/20010605064736/http: //r azor.bindview.com/publish/papers/tcpseq/hpux11.jpg
http://web.archive.org/web/20010605061712/http:/ /r azor.bindview.com/publish/papers/tcpseq/sol7.jpg
http://web.archive.org/web/20010605062854/http://r azor.bindview.com/publish/papers/tcpseq/sol8.jpg
http://web.archive.org/web/20010605055059/http://r azor.bindview.com/publish/papers/tcpseq/sol2.jpg
http://web.archive.org/web/20010605060640/http://r azor.bindview.com/publish/papers/tcpseq/sol2ip.jpg
http://web.archive.org/web/20010605044904/http:/ /r azor.bindview.com/publish/papers/tcpseq/bsdi.jpg
http://web.archive.org/web/20010605070105/http://r azor.bindview.com/publish/papers/tcpseq/irix.jpg
http://web.archive.org/web/20010605042650/http://r azor.bindview.com/publish/papers/tcpseq/macos1.jpg
http://web.archive.org/web/20010605041254/http:/ /r azor.bindview.com/publish/papers/tcpseq/macos.jpg
http://web.archive.org/web/20010605054335/http:// r azor.bindview.com/publish/papers/tcpseq/dnslibc.jp g
http://web.archive.org/web/20010605061755/http: //r azor.bindview.com/publish/papers/tcpseq/dnswin.jpg
http://web.archive.org/web/20010605060741/http:/ /r azor.bindview.com/publish/papers/tcpseq/dnssol.jpg
http://web.archive.org/web/20010605051819/http:/ /r azor.bindview.com/publish/papers/tcpseq/comp.jpg
http://web.archive.org/web/20010605053816/http://r azor.bindview.com/publish/papers/tcpseq/random.jpg
http://web.archive.org/web/20010605053140/http:/ /r azor.bindview.com/publish/papers/tcpseq/data.jpg
http://web.archive.org/web/20010605044549/http://r azor.bindview.com/publish/papers/tcpseq/mix.jpg
h ttp://web.archive.org/web/20010824145421/http://r azor.bindview.com/publish/papers/tcpseq/linc.jpg
http://web.archive.org/web/20010605064500/http://r azor.bindview.com/publish/papers/tcpseq/ttime.jpg

Remove the spaces, copy-and-paste. We don't want to take the Internet Archive down, as well.

Here's the first bit (1, Funny)

56ker (566853) | more than 11 years ago | (#3795589)

This is the first section:

Table of Contents:

0. Abstract
1. Introduction
1.1 TCP Sequence generation and PRNGs
1.2 Spoofing Sets
2. Phase Space Analysis, Attractors and ISN Guessing
2.1 Introduction to Phase Space Analysis
2.2 Using Attractors for Spoofing Set Construction
2.3 Real-Life Attack Algorithms
3. Review of Operating Systems
3.1 Linux
3.2 Windows
3.3 Cisco IOS
3.4 AIX
3.5 FreeBSD and NetBSD
3.6 OpenBSD
3.7 HP/UX
3.8 Solaris
3.9 BSDI
3.10 IRIX
3.11 MacOS
3.12 Multiple Network Devices
3.13 Other PRNG issues
4. Risk Analysis
5. Conclusions
6. References
7. Credits

Appendix A: Phase Space Images of Known Generating Functions

Hopefully now only people who want to read it will click on the link!

C: A Dead Language? by pwpbot (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3795617)

Gentlemen the time has come for a serious discussion on whether or not to continue using C for serious programming projects As I will explain I feel that C needs to be retired much the same way that Fortran Cobol and Perl have been Furthermore allow me to be so bold as to suggest a superior replacement to this outdated languageTo give you a little background on this subject I was recently asked to develop a clientserver project on a Unix platform for a Fortune 500 company While Ive never coded in C before I have coded in VB for fifteen years and in Java for over ten I was stunned to see how poorly C fared compared to these two more lowlevel languagesCs biggest difficulty as we all know is the fact that it is by far one of the slowest languages in existance especially when compared to more modern languages such as Java and C Although the reasons for this are varied the main reasons seems to be the way C requires a programmer to laboriously work with chunks of memoryRequiring a programmer to manipulate blocks of memory is a tedious way to program This was satisfactory back in the early days of coding but then again so were punchcards By using what are called pointers a C programmer is basically requiring the computer to do three sets of work rather than one The first time requires the computer to duplicate whatever is stored in the memory space pointed to by the pointer The second time requires it to perform the needed operation on this space Finally the computer must delete the duplicate set and set the values of the original accordinglyClearly this is a horrendous use of resources and the chief reason why C is so slow When one looks at a more modern and a more serious programming language like Java C or even better Visual Basic that lacks such archaic coding styles one will also note a serious speed increase over CSo what does this mean for the programming community I think clearly that C needs to be abandonded There are two candidates that would be a suitable replacement for it Those are Java and Visual BasicHaving programmed in both for many years I believe that VB has the edge Not only is it slightly faster than Java its also much easier to code in I found C to be confusing frightening and intimidating with its nonGUIbased coding style Furthermore I like to see the source code of the projects I work with Javas source seems to be under the monopolistic thumb of Sun much the way that GCC is obscured from us by the marketing people at the FSF Microsofts shared source under which Visual Basic is released definately seems to be the most fair and reasonable of all the licenses in existance with none of the harsh restrictions of the BSD license It also lacks the GPLs requirement that anything coded with its tools becomes property of the FSFI hope to see a switch to VB very soon Ive already spoken with various luminaries in the nix coding world and most are eager to begin to transition Having just gotten off the phone with Mr Alan Cox I can say that he is quite thrilled with the speed increases that will occur when the Linux kernel is completely rewritten in Visual Basic Richard Stallman plans to support this and hopes that the great Swede himself Linux Torvaldis wont object to renaming Linux to VBLinux Although not a C coder himself Im told that Slashdots very own Admiral Taco will support this on his web site Finally Dennis Ritchie is excited about the switchThank you for your time Happy coding


Not a new problem (3, Interesting)

scotfl (312954) | more than 11 years ago | (#3795618)

The idea of predicting Initial Sequence Numbers isn't exactly new, RFC1948: Defending Against Sequence Number Attacks [rfc.net] was issued in 1996. Heck, even RFC793: Transmission Control Protocol [rfc.net] from 1981 states:
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds.

Which would provide somewhat random ISNs. What we are seeing here is the fact that compuers today are faster than they where twenty years ago, and thus better random (or psuedo-random) ISN generators are needed. Still it's nice to see vendors getting called out on bad implementations.

Re:Not a new problem (0)

Anonymous Coward | more than 11 years ago | (#3795644)


"As early as 1985 there was speculation that by being able to guess the next ISN, an attacker could forge a one-way connection to a host by spoofing the source IP address of a trusted host, as well as the ISN which would normally be sent back to the trusted host via an acknowledgement packet. It was determined that to help ensure the integrity of TCP/IP connections, every stream should be assigned a unique, random sequence number. The TCP sequence number field is able to hold a 32-bit value, and 31-bit is recommended for use by RFC specifications. An attacker wanting to establish connection originating from a fake address, or to compromise existing TCP connection integrity by inserting malicious data into the stream [1] would have to know the ISN. Because of the open nature of the Internet, and because of large number of protocols that are not using cryptographic mechanisms to protect data integrity, it is important to design TCP/IP implementations in a way that does not allow remote attackers to predict an ISN (this is called a "blind spoofing" attack)."

You won the redundant statement prize!

old news! (1)

zdzichu (100333) | more than 11 years ago | (#3795641)

it was here [slashdot.org] .

Re:old news! (0)

Anonymous Coward | more than 11 years ago | (#3795774)

Tag him funny...it's really very amusing...

Re:old news! (0)

Anonymous Coward | more than 11 years ago | (#3795954)

What the fuck are you talking about? That's the same fucking article you twit.

What about NAT? (0)

Anonymous Coward | more than 11 years ago | (#3795669)

EG. I have an OpenBSD firewall behind nat and I'm using "modulate state" on tcp packets. One would then assume that the sequence numbers would be rewriten by the NAT gateway. Comments?

Cisco Sequence Numbers Bug.(600 Series) [swcp.com]

This could then make the random sequence numbers mute.

More recent results? (3, Interesting)

Westacular (118145) | more than 11 years ago | (#3795685)

This report was published over a year ago, examining vulnerabilities that have been well-understood for >6 years. How is this news?

It might be useful if it was up to date, however as it stands most of the OSes listed there have had non-trivial revisions and new releases since then: WinXP isn't mentioned; Linux testing is limited to some version of 2.2, with no mention of 2.4; it refers to OpenBSD 2.9 coming out "soon" (3.1 is now available); OS X has had many major improvements since its first release; etc.

The BSD's (3, Insightful)

Foxman98 (37487) | more than 11 years ago | (#3795693)

I'll be the first to admit that some of that articale was a little beyond me at this time. However, for anyone running a server, it would seem that OpenBSD still is the best choice for anything on the 'net. OpenBSD had the best TCP/IP random number generation (recently re-written). It has also been developed with security in mind. After about 4 years of linux experience it took me an hour to get an openbsd machine running, natting, and pf'ing. It was really that simple - as long as you have the experience. Want httpd installed? "make install" in the ports directory.

What really suprised me in this article is that some of the commercial unices were so poor in their implementation. Solaris was only secured after tweaking, Mac OS X, while not 100% attackable, still wasn't much better. Same for IRIX and AIX. I didn't notice version numbers however, does anyone know if the state has changed for newer version of IRIX? It was also disappointing the the 2.2 series kernel was used - have things changed in 2.4? If not, is there work being done in 2.5/6 ?

And if anyone has ANY insight as to why Window98 is much worse than windows95 I'd love to hear it.

Re:The BSD's (0)

Anonymous Coward | more than 11 years ago | (#3795768)

Apache is installed on OpenBSD by default. No need for a make install in ports at all. Just configure in /var/www/conf/ and enable in /etc/rc.conf

Read the story: OpenBSD failed the test (0)

Anonymous Coward | more than 11 years ago | (#3795771)

What the heck are you talking about. The numbers don't lie. You obviously do. Read the story again. OpenBSD stumbled badly in this test.

Re:Read the story: OpenBSD failed the test (1)

steelhawk (90209) | more than 11 years ago | (#3795827)

OpenBSD _2.8_ was fairly bad in the test... but that's a pretty old version... as they say the CURRENT at that time was much better... and I think that is incorporated in the newer OpenBSD releases.. (as in at least 3.x)

Hit them. Hard. (1, Flamebait)

Krapangor (533950) | more than 11 years ago | (#3795718)

An attractor is a shape that is specific to the given PRNG function, and reveals the complex nature of dependencies between subsequent results generated by the implementation.

The author should be hit with a stick.
Several times.
There is a standard definition for an attractor in mathematics.
If the author wants to use mathematics, then he should use the well-agreed mathematical definitions and not vague pseudo-mathematical babble.
And yes, I am a mathematician.

What they basically do is to guess the (internal) dimension of the system and trying to get non-trivial attracting set out of it. It's a rather trivial fact that if you get both things right, you can attack the PRNG. However, a decent PRNG won't have any non-trivial attractors.

Re:Hit them. Hard. (3, Insightful)

Anonymous Coward | more than 11 years ago | (#3795899)

Look, I browsed through the article, but not enough to quibble over the mathematical definition of attractors. I don't know enough about attractors to quibble even if I did.

But I am a statistician, and about the "vague pseudomathematical babble":

Sometimes, when you're presenting stuff to nonspecialists, you need to be a little more vague and pseudomathematical for people to understand. Sometimes it's more important for 100% of the people to get a 80% valid understanding of something than 20% to get a 100% valid understanding. I think it's more accurate in this regard to describe many vague mathematical generalizations as "quasimathematical".

Just being a little vague is ok or even necessary sometimes. The problem with always using "well-agreed mathematical definitions" is that not everybody understands them. There are, however, some who might understand the gist of the argument, and sometimes it's more important to get that across.

Maybe you're of the opinion that we shouldn't explain math to people who don't understand every bit of it known to mankind. I don't believe, though, that people who try to make math a bit more accessible should be "hit hard". On the contrary--they should be encouraged. People pursue things, after all, because they're interested in it, and often, we're interested in the things that are novel to us.

Again, I don't really know enough about it. Maybe this guy was completely incorrect. But quasimathematical babble isn't always bad.

Comparison is the goal.... (1)

Alric (58756) | more than 11 years ago | (#3795727)

The article is not trying to report the idea of predicting the ISN as a new vulnerability.

The goal of the article is to compare how vulnerable various current operating systems are to this type of spoofed ISN attack. It discusses phase space analysis as a worthy means of doing this, and then the article presents handy feasibility charts and pretty pictures.

So please, let's have no more posts discussing how this attack is really old, man. I think most people here know this already.

This Article has Everything (2, Funny)

Anonymous Coward | more than 11 years ago | (#3795728)

1. Sensationalism
"OMG Someone can guess the ISN number, We are all on our way to destruction"

2. Geekiness
"Wtf is an ISN number"

3. M$ Bashing (Note the $ $ign it means I dissaprove of Microsofts Money Grubbing Ways (TM) [OMG another funny!!])

PDF Mirror... (1)

hardcode (105714) | more than 11 years ago | (#3795729)

... at http://www.mirrors.wiretapped.net/security/info/pa pers/networking/strange-attractors-and-tcpip-seque nce-number-analysis.pdf



It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
a half a pack of cigarettes, it's dark, and we're wearing visors. Engage.
- Paul Tomblin in asr

Re:PDF Mirror... (1)

hardcode (105714) | more than 11 years ago | (#3795845)

... of course missing out the space slash code inserted in the word sequence *sigh*



I am become Typo, destroyer of words.

Summary: Linux is the winner (0)

Anonymous Coward | more than 11 years ago | (#3795754)

Linux trounced the field. Period. Linux is the winner.

Other systems failed, including FreeBSD which is rated "medium to high risk". OpenBSD fared very poorly also, as did BSDI, both exhibiting highly predictable behaviour.

Solaris, HPUX, AIX, Mac OSX well -- they failed to measure up, with HPUX particularly shameful.

Windows? What is there to say -- it ran with the losers.

grsecurity (0)

Anonymous Coward | more than 11 years ago | (#3795824)

I wonder, what would be the percentage with linux 2.4 + grsecurity patches

That makes sense (2, Funny)

linuxhack (413769) | more than 11 years ago | (#3795831)

So, in Neon Genesis Evangelion, when they discover the Eva "neutralizing the Phase Space", they are actually watching the Eva exploit the Angel's weak ISN via a TCP/IP connection? It all makes so much sense now.

They manage to build bio-humanoid robots, but they can't write a decent random function. Go figure...

some wrong conclusions in the article (0)

Anonymous Coward | more than 11 years ago | (#3795886)

But, as network speeds are constantly growing, it would be not a problem for an attacker having access to powerful enough uplink to search the entire 32-bit ISN space in several hours, assuming a local LAN connection to the victim host and assuming the network doesn't crash, although an attack could be throttled to compensate.

If one assumes even optimistic 10ms latency per request, this comes out to only 100 attempts/sec or about 497 days to blindly search the whole 32-bit space.

Time delay... (2, Informative)

MConlon (246624) | more than 11 years ago | (#3795963)

Normally when you're attempting to reconstruct phase space you vary the embedding dimension.

Just because the dynamics look like a cloudy haze in R3 doesn't mean they do in R8.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account