Bernd Eckenfels wrote:
>
> Hi,
>
> > I beg your pardon, but although the *possibilities* are in a range of
> > 2^32,
> > by measuring the roundtriptime and sniffing the packets coming from your
> > "victim" you should be able to guess the sequence number in a
> > *reasonable*
> > amount of time.
>
> Umm... how can you guess the ISN by measuring the RTT? And of course you
> can't sniff the Packet from your victim (you dont need to measure anything if
> you can sniff the packet, since the ISN is written clear in it).
>
> If you can sniff the packet it was directed to you anyway. It is possible to
> sniff the Packet if you are on the same Lan or on the Upstream Link, but
> this is usually not the case for attackers. (The local LAN should be secured
> and the Upstream Links trusted, at least as long as you use insecure
> authentication which relies on the Source-IP).
>
> Greetings
> Bernd
Ok, as told before, this was an uttermost simplified explanation.
In fact you don't even have to "snif" the packets. Just send a
bunch of
TCP packets to your 'victim' (SMTP, echo, daytime,chargen,... you
name it)
and you'll certainly find one that fit your needs. By this means,
having
all the ISNs and RTTs needed, and doing some calculation (knowing
that
the ISN is incremented by a constant amount once per second, and by
half
the amount each time a connection is initiated [Berkeley derived
systems]), you'll be able to guess the sequence number of your
victim.
(And yes, I still know my explanation is over simplified :-)
For the "in-depth" explanation please refer to:
- A weakness in the 4.2 BSD Unix TCP/IP Software (R. Morris 1985)
- Security problems in the TCP/IP protocol suite (S. Bellovin
1989)
End of the thread... (on my side ;-)
Cheers,
Thierry
--
Thierry Guinet
Systems & Network programmer, Namsa Luxembourg
T .
Guinet @
namsa .
nato .
int
Follow-Ups:
References:
|
|
