Vulnerability Development mailing list archives
Re: TCP/IP ISN Prediction Susceptibility
From: Dom De Vitto <dom () DEVITTO COM>
Date: Tue, 13 Mar 2001 15:25:57 -0000
I thought this was fact, a long, long time ago. Many OSes use ISN based on uptime and number of prior connections, thus if you can get one legit connection to a server, you could perform hijacking of existing connections, or worst perform 'blind' spoofing attacks. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd. mailto:dom () devitto com Mob. +44 7971 589 201 http://www.devitto.com Fax. +44 8700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | -----Original Message----- | From: VULN-DEV List [mailto:VULN-DEV () securityfocus com]On Behalf Of | Solar, Eclipse | Sent: 12 March 2001 21:54 | To: VULN-DEV () securityfocus com | Subject: TCP/IP ISN Prediction Susceptibility | | | Quoted from http://www.guardent.net/pr2001-03-12-ips.html | | > Waltham, MA -- March 12, 2001 -- Guardent, Inc., the leading | > provider of security and privacy programs for Global 2000 | > organizations, today released new information regarding a | > significant weakness in many implementations of the | > Transmission Control Protocol (TCP) that affects a large | > population of Internet and network-connected devices. | > | > Tim Newsham, a senior research scientist at Guardent, | > discovered a method by which malicious users can close | > down or "hijack" TCP-based sessions on the Internet or | > on corporate networks. The research, titled "ISN Prediction | > Susceptibility", exposes a weakness in the generation of | > TCP Initial Sequence Numbers, which are used to maintain | > session information between network devices. | > | > Prior to Guardent's discovery, it was believed that TCP | > sessions were sufficiently protected from attacks by the | > random generation of initial sequence numbers. It is now | > known that these numbers are guessable on many platforms, | > with a high degree of accuracy. The ability to accurately | > guess sequence numbers, combined with readily available | > session information, allows for a variety of sophisticated | > attacks on computer networks. | | It seems that Guardent claims that the pseudo-random ISN | generation algorithm implemented in most TCP/IP stacks | is flawed. Does anybody have more information about this? | | Solar Eclipse
Current thread:
- TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 12)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Holger van Koll (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Olaf Kirch (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Mike Sues (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Dom De Vitto (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Vitaly Osipov (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Mike Fedyk (Mar 14)
- <Possible follow-ups>
- Re: TCP/IP ISN Prediction Susceptibility Eric D. Williams (Mar 13)