Re: NT4-SP3 Sequence Prediction

[nate () ROOT ORG (nate () ROOT ORG)]

On Thu, 3 Sep 1998, Roy Hills wrote:
> By contrast, the "one-per-millisecond" sequence shown by NT 4 SP3
> increases the initial TCP sequence number by one every millisecond.
> I think that this would be very difficult to exploit remotely
> because the latency variations over an Internet connection are
> generally much greater than a millisecond.  I guess that it may
> be possible to exploit over a LAN connection, but even then, I doubt
> that it would be easy.

It is very easy.  Assume that you have a standard deviation of 3 in the
sequence every 10 ms (Ivan Arce measured a stdev of 2.6942).  This means
that a single guessed sequence of 499, 500, or 501 has a ~68% (1 stdev)
chance of being correct. Assuming you are guessing one every 10 ms, it
would only take 3 tries (30 ms) for you to have a better than 90% chance
of succeeding.

The lesson is that low individual event probability doesn't mean much
when you can repeat the attempt millions of times.  With today's higher-
speed networks, the rare becomes commonplace.  A "collision" of DES-encrypted
network traffic (with its 64 bit block size) will occur within a couple minutes
on a 1gb/sec link.

Ivan Arce wrote:
> mean <  499.92>  standard deviation (square) <  7.2588>

That is the variance, s^2. (Perhaps you meant this by (square)).
The standard deviation is s < 2.6942.  Also, in situations like this, it
would be best to use the step function since sequence numbers can only
be integer values.

-Nate