Bugtraq mailing list archives

Re: NT4-SP3 Sequence Prediction

From: smb () RESEARCH ATT COM (Steve Bellovin)
Date: Wed, 9 Sep 1998 15:27:05 -0400


Relying on a fast counter for protection is fruitless -- I showed this
in a 1989 paper.  Look at it this way -- given some idea of the mean
increment per unit time, trying to find the exact right guess is like
trying to exploit a race condition.  Usually you lose -- but winning
just once is enough.

Furthermore, the idea of multiple guesses per attempt appears to be
sound -- from a quick glance at the TCP spec, an erroneous ACK will not
cause any harm.

The best solution, of course, is to abandon the fatally-flawed notion
of address-based authentication in the first place.  If you must use
it, use a per-connection time base, per RFC 1948.

Current thread:

Re: NT4-SP3 Sequence Prediction nate () ROOT ORG (Sep 09)
- Re: NT4-SP3 Sequence Prediction Mark Gansle (Sep 09)
- SSH 1.2.25/HP-UX 10.20 Vulnerability Security Research Team (Sep 10)
  - Re: SSH 1.2.25/HP-UX 10.20 Vulnerability Joao Miguel Neves (Sep 10)
- <Possible follow-ups>
- Re: NT4-SP3 Sequence Prediction Steve Bellovin (Sep 09)