RE: TCP seq changed when cross Cisco PIX 525 [7:18764]

Sat, 08 Sep 2001 23:16:24 -0700 

Hi
I'm not worried about hackers, the sending probe machine is not configured
to 
receive any packet of this port. Actually probe is not sent via TCP stack,
but using raw socket
Therefore any hackers attempt to sent me packet will be answered with RST
frame.
Also I don't see any disadvantages of seq=1, it is easy to guess what is the
next seq number 
also if you start from 342353122, for example.
seq can be easy computed as seq next = seq + len + ( ( SYN | FIN ) & flags )
? 1 : 0;
Am I wrong ?

toly
-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 07, 2001 6:49 AM
To: [EMAIL PROTECTED]
Subject: Re: TCP seq changed when cross Cisco PIX 525 [7:18764]


Always starting with TCP sequence number 1 is a bad thing. It makes it easy 
for a hacker to guess what the sequence number is and insert himself into a 
connection establishment.

So PIX and other firewalls let you randomize the starting sequence number 
for TCP implementations that don't already do this.

Priscilla

At 02:48 AM 9/6/01, Anatoly Shein wrote:
>Hi
>I was encountered with strange situation.
>Probably one of your can help/heard about something alike.
>
>Problem description:
>There is sun machine connected to pair of Cisco PIX 525
>On sun there is software sent TCP SYN probe packets
>with sequence number starts from 1 and increments for each packet.
>packets sent 1 for 50 mili seconds
>When packet cross router the sequence number is changed.
>This change is consistent for one set of packets but is not
>for subsequent set of packets
>
>for example :
>before cisco            after cisco
>1. TCP syn seq = 1      seq = 1 + x
>2. TCP syn seq = 2      seq = 2 + x
>3. TCP syn seq = 3      seq = 3 + x
>FAQ, list archives, and subscription info: 
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


________________________

Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19162&t=18764
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to