Bugtraq mailing list archives
Re: Borderware predictable initial TCP
From: patrick () CS VIRGINIA EDU (Patrick)
Date: Wed, 9 Sep 1998 14:12:25 -0400
I've also got a feeling that it may be possible to send multiple ACKs to the server and the incorrect ones might just get ignored - if this is true, then it would be possible to "bracket" the predicted sequence no. with multiple ACKs to increase the chance of success. Does anyone know if this is really the case?
Yes, all the TCP stacks I have tried seem to ignore incorrect seq/ack numbers. This includes Linux, Solaris, Win*, and AIX. I can do more specific testing if it's an issue. I have a program that gets sequence numbers by sniffing and then spoofs FIN packets to tear down a connection. If I get the sequence numbers wrong (i.e., some legitimate packets arrive before my spoofed FINs), I just sniff another packet and try sending FINs again, etc. Juggernaut has similar functionality (using RST instead of FIN), and it goes so far as to send 10 RSTs, incrementing the sequence numbers for each attempt. This should significantly increase the chances of taking the connection down successfully. --Patrick
Current thread:
- Re: Borderware predictable initial TCP Ulf Munkedal (Sep 02)
- Re: Borderware predictable initial TCP Roy Hills (Sep 03)
- Re: Borderware predictable initial TCP Ivan Arce,CORE SDI (Sep 08)
- Re: Borderware predictable initial TCP Roy Hills (Sep 09)
- Re: Borderware predictable initial TCP Patrick (Sep 09)
- Re: Borderware predictable initial TCP Ivan Arce,CORE SDI (Sep 08)
- Win NT40 seq pred. Was: Borderware predictable initial TCP Ulf Munkedal (Sep 09)
- L0pht Answering Machine Advisory Dr. Mudge (Sep 09)
- Re: Borderware predictable initial TCP Roy Hills (Sep 03)