Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Borderware predictable initial TCP

From: patrick () CS VIRGINIA EDU (Patrick)
Date: Wed, 9 Sep 1998 14:12:25 -0400


I've also got a feeling that it may be possible to send multiple ACKs to the
server and the incorrect ones might just get ignored - if this is true,
then it
would be possible to "bracket" the predicted sequence no. with multiple
ACKs to increase the chance of success.  Does anyone know if this is
really the case?


Yes, all the TCP stacks I have tried seem to ignore incorrect seq/ack
numbers.  This includes Linux, Solaris, Win*, and AIX.  I can do more
specific testing if it's an issue.

I have a program that gets sequence numbers by sniffing and then spoofs
FIN packets to tear down a connection.  If I get the sequence numbers
wrong (i.e., some legitimate packets arrive before my spoofed FINs), I
just sniff another packet and try sending FINs again, etc.

Juggernaut has similar functionality (using RST instead of FIN), and it
goes so far as to send 10 RSTs, incrementing the sequence numbers for each
attempt.  This should significantly increase the chances of taking the
connection down successfully.

--Patrick
Previous By Date Next
Previous By Thread Next

Current thread: