Elias Levy <[EMAIL PROTECTED]> writes:
> It seems the vulnerability lies in the implementation of some TCP/IP
> stacks that attempt to randomize TCP's initial sequence numbers - ironically
> for the purpose of not generating predictable ISNs to stop blind IP spoofing
> of TCP connections. While the ISNs generated by these implementations appear
> random they apparently are statistically predictable.
I think this is the cause. For example, Solaris 2.6 uses a PRNG when
the "tcp_strong_iss" sysctl has the value 1. The PRNG output (and the
ISN derived from it) appears pretty random to the casual observer
(e.g. nmap), but with a more sophisticated approach, it should be
possible to recover the internal state of the PRNG.
If "tcp_strong_iss" is set to 2, the RFC 1948 approach is implemented,
which is probably secure.
For an example how to set "tcp_strong_iss" properly, see 'Example G'
http://www.enteract.com/~lspitz/example.html
--
Florian Weimer [EMAIL PROTECTED]
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898