Firewalls: Protection against sequence number guessing

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Protection against sequence number guessing
From:	"Henning Stams" <hstams @ k . mup . de>
Organization:	Mummert+Partner Unternehmensberatung GmbH
Date:	Wed, 1 Feb 1995 00:31:20 WET
To:	firewalls @ greatcircle . com
Priority:	normal

Hello all,

I have a question regarding the attack method known as sequence number 
guessing. As far as I understood the process, it functions as follows:

  Client------|Router|----+--Server 1
              |______|    |__Server 2
                 |        |__Server 3
  Intruder_______|

Router refuses Source Routed Packets, so Intruder won't see any of Server's
output if Intruder pretends to be Client. Intruder will send a lot of unACK'ed
SYNs to Client to feed up it's TCP-Slots. Intruder then sends a SYN(a) to Server.
Server will send an ACK(a+1) together with a SYN(y) to Client (which is all fed
up and thus won't send an RST on an unexpected ACK). y is the number to guess.
Intruder guesses y and sends an ACK(y+1) to Server and now has a valid TCP
connection open. After finishing the work, (usually installing a backdoor of 
any type) Intruder sends a FIN to SERVER and then closes all the SYNs sent to 
Client to free it's resources.

The major thread is that y is not very hard to guess on most Unix Systems.

IMHO there are two ways to protect oneself from those attacks:
a) Router will accept packets with Client's Source Address only from the
   appropriate interface and Client is in fact either internal (neighboring
   Server) or attached to a different interface than Intruder.
b) The number y is a quite good random number and thus VERY hard to predict.

a) will be the usual solution. b) will be hard to do because you'll have to
obtain a kernel patch for each and every Server. 

My question: Am I right that if we use a Proxy-Only Gateway between Router
and Server, that Gateway is the only host to generate y to a SYN coming
from the outside? If so, wouldn't it be sufficient to install a very good
random number generator on Gateway only? Or did I miss something important 
here?

Henning

----------------------------------------------------------------------
Henning Stams              Mummert + Partner Unternehmensberatung GmbH
Internet:                  hstams @
 k .
 mup .
 de
Phone:                     +49 (221) 92404-131   (-0  from the U.S.)
FAX:                       +49 (221) 92404-199   (-33 from the U.S.)
----------------------------------------------------------------------

Indexed By Date	Previous:	Re: RE- Cleaning out compilers - Reply From: Mike Sangrey <msangrey @ epix . net>
Indexed By Date	Next:	Re: IDENTD From: hobbit @ bronze . lcs . mit . edu (Hobbit)
Indexed By Thread	Previous:	syslogd won't work without m4 From: patrick @ oes . amdahl . com (Patrick Horgan)
Indexed By Thread	Next:	Re: IDENTD From: hobbit @ bronze . lcs . mit . edu (Hobbit)