Vulnerability Development mailing list archives

Re: TCP/IP ISN Prediction Susceptibility

From: Dom De Vitto <dom () DEVITTO COM>
Date: Tue, 13 Mar 2001 15:25:57 -0000

I thought this was fact, a long, long time ago.  Many OSes use ISN
based on uptime and number of prior connections, thus if you can get
one legit connection to a server, you could perform hijacking of
existing connections, or worst perform 'blind' spoofing attacks.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto                              Secure Technologies Ltd. 
  mailto:dom () devitto com                       Mob. +44 7971 589 201  
  http://www.devitto.com                       Fax. +44 8700 548 750  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 

 | -----Original Message-----
 | From: VULN-DEV List [mailto:VULN-DEV () securityfocus com]On Behalf Of
 | Solar, Eclipse
 | Sent: 12 March 2001 21:54
 | To: VULN-DEV () securityfocus com
 | Subject: TCP/IP ISN Prediction Susceptibility
 | 
 | 
 | Quoted from http://www.guardent.net/pr2001-03-12-ips.html
 | 
 | > Waltham, MA -- March 12, 2001 -- Guardent, Inc., the leading
 | > provider of security and privacy programs for Global 2000
 | > organizations, today released new information regarding a
 | > significant weakness in many implementations of the
 | > Transmission Control Protocol (TCP) that affects a large
 | > population of Internet and network-connected devices.
 | >
 | > Tim Newsham, a senior research scientist at Guardent,
 | > discovered a method by which malicious users can close
 | > down or "hijack" TCP-based sessions on the Internet or
 | > on corporate networks. The research, titled "ISN Prediction
 | > Susceptibility", exposes a weakness in the generation of
 | > TCP Initial Sequence Numbers, which are used to maintain
 | > session information between network devices.
 | >
 | > Prior to Guardent's discovery, it was believed that TCP
 | > sessions were sufficiently protected from attacks by the
 | > random generation of initial sequence numbers. It is now
 | > known that these numbers are guessable on many platforms,
 | > with a high degree of accuracy. The ability to accurately
 | > guess sequence numbers, combined with readily available
 | > session information, allows for a variety of sophisticated
 | > attacks on computer networks.
 | 
 | It seems that Guardent claims that the pseudo-random ISN
 | generation algorithm implemented in most TCP/IP stacks
 | is flawed. Does anybody have more information about this?
 | 
 | Solar Eclipse

Current thread:

TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 12)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
  - Re: TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Holger van Koll (Mar 13)
  - Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
    - Re: TCP/IP ISN Prediction Susceptibility Olaf Kirch (Mar 14)
    - Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Mike Sues (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Dom De Vitto (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Vitaly Osipov (Mar 13)
  - Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Mike Fedyk (Mar 14)
- <Possible follow-ups>
- Re: TCP/IP ISN Prediction Susceptibility Eric D. Williams (Mar 13)