Re: Borderware predictable initial TCP

[Roy.Hills () NTA-MONITOR COM (Roy Hills)]

While NT 4 SP3 does have a pattern to it's initial TCP sequence
numbers, my observations show this to be a "one-per-millisecond"
seqence which is much less of a problem than the "64k increments"
pattern exhibited by Borderware and HP-UX 10.x default configurations.

With the "64k increments" pattern, the server's initial TCP sequence
number is increased by 64,000 for each incoming connection and by
128,000 each second.  These granularities of inbound connections and
seconds are sufficiently course to make sequence number prediction
trivial.

By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3
increases the initial TCP sequence number by one every millisecond.
I think that this would be very difficult to exploit remotely because the
latency variations over an Internet connection are generally much greater
than a millisecond.  I guess that it may be possible to exploit over a LAN
connection, but even then, I doubt that it would be easy.

Has anyone actually seen or demonstrated a successful spoofing
attack against NT 4 SP3 over an Internet connection?

Roy Hills
NTA Monitor

At 22:14 02/09/98 +0200, Ulf Munkedal wrote:
> This also applies to Firewall-1 on a Windows NT SP3. Vendor has been
> notified some time ago.
>
> Like with HP-UX this is an NT problem, but one could argue that firewall
> vendors should replace/strengthen the TCP/IP stack on that platform since
> MS hasn't solved TCP seq prediction on NT and it has been known for quite
> some time. SP3 helps but it doesn't solve the problem.
>
> Ulf

--
Roy Hills                                    Tel:   01634 721855
NTA Monitor Ltd                              FAX:   01634 721844
6 Beaufort Court, Medway City Estate,        Email: Roy.Hills () nta-monitor com
Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/