> Rodrigo Ormonde wrote:
>
> > Not only this. The attacker must discover what inicial sequence number the
> > attacked host has chosen to establish the connection. Since this number has 2^32 possible values it's nearly impossible to guess it.
>
> I beg your pardon, but although the *possibilities* are in a range of
> 2^32,
> by measuring the roundtriptime and sniffing the packets coming from your
> "victim" you should be able to guess the sequence number in a
> *reasonable*
> amount of time.
> ( And yes, I know this is an over simplified explanation :)
Yes, your are right. The number of possible guesses for the next sequence
number is much smaller than the 2^32. In fact, I didn't say it's impossible
to implement this kind of attack, but is very difficult to do it in the
"real world."
Suppose you have an TCP implementation that increments the inicial sequence
number n times per second, by a fixed amount. In this case you can measure the
round trip time of one packet and guess (in a resonable way) what the next
number will be. But if you have a "non-deterministic network" (the Internet),
often there is a great variation of round trip time from one packet to
another, and if n is a big number, a small difference of time is enough to
produce a new sequence number. This is what makes this kind of attack very
difficult. (but still possible :-)
Best Regards.
--
Rodrigo de La Rocque Ormonde
Confederacao Nacional do Transporte
e-mail: ormonde @
cnt .
org .
br
PGP Public key: finger ormonde @
cnt .
org .
br
"A unica certeza que voce pode ter ao tentar produzir um sistema a prova de
idiotas e' que o mundo esta sempre produzindo idiotas maiores... :-) "
References:
|
|
