Bernd Eckenfels wrote:
> > I beg your pardon, but although the *possibilities* are in a range of
> > 2^32,
> > by measuring the roundtriptime and sniffing the packets coming from your
> > "victim" you should be able to guess the sequence number in a
> > *reasonable*
> > amount of time.
> Umm... how can you guess the ISN by measuring the RTT? And of course you
> can't sniff the Packet from your victim (you dont need to measure anything if
> you can sniff the packet, since the ISN is written clear in it).
> If you can sniff the packet it was directed to you anyway. It is possible to
> sniff the Packet if you are on the same Lan or on the Upstream Link, but
> this is usually not the case for attackers. (The local LAN should be secured
> and the Upstream Links trusted, at least as long as you use insecure
> authentication which relies on the Source-IP).
Ok, as told before, this was an uttermost simplified explanation.
In fact you don't even have to "snif" the packets. Just send a
TCP packets to your 'victim' (SMTP, echo, daytime,chargen,... you
and you'll certainly find one that fit your needs. By this means,
all the ISNs and RTTs needed, and doing some calculation (knowing
the ISN is incremented by a constant amount once per second, and by
the amount each time a connection is initiated [Berkeley derived
systems]), you'll be able to guess the sequence number of your
(And yes, I still know my explanation is over simplified :-)
For the "in-depth" explanation please refer to:
- A weakness in the 4.2 BSD Unix TCP/IP Software (R. Morris 1985)
- Security problems in the TCP/IP protocol suite (S. Bellovin
End of the thread... (on my side ;-)
Systems & Network programmer, Namsa Luxembourg