At 09:30 AM 9/9/01, Anatoly Shein wrote:
>Hi
>I'm not worried about hackers, the sending probe machine is not configured
>to
You're different from the rest of the world then.
>receive any packet of this port. Actually probe is not sent via TCP stack,
>but using raw socket
>Therefore any hackers attempt to sent me packet will be answered with RST
>frame.
Not if you're under attach and are unable to send a RST.
>Also I don't see any disadvantages of seq=1, it is easy to guess what is the
>next seq number
Well, the rest of the world, especially security experts, see a
disadvantage with seq = 1.
>also if you start from 342353122, for example.
>seq can be easy computed as seq next = seq + len + ( ( SYN | FIN ) & flags )
>? 1 : 0;
>Am I wrong ?
The problem occurs where the hacker doesn't actually see the first frame
and has no idea what the sequence number is but is still able to send a
reply that looks legitimate.
It's documented in most security explanations. Do some research. Check
descriptions of IP spoofing. I did a search on Google and immediately found
this article that looks pretty good:
http://www.fc.net/phrack/files/p48/p48-14.html
Priscilla
>toly
>-----Original Message-----
>From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
>Sent: Friday, September 07, 2001 6:49 AM
>To: [EMAIL PROTECTED]
>Subject: Re: TCP seq changed when cross Cisco PIX 525 [7:18764]
>
>
>Always starting with TCP sequence number 1 is a bad thing. It makes it easy
>for a hacker to guess what the sequence number is and insert himself into a
>connection establishment.
>
>So PIX and other firewalls let you randomize the starting sequence number
>for TCP implementations that don't already do this.
>
>Priscilla
>
>At 02:48 AM 9/6/01, Anatoly Shein wrote:
> >Hi
> >I was encountered with strange situation.
> >Probably one of your can help/heard about something alike.
> >
> >Problem description:
> >There is sun machine connected to pair of Cisco PIX 525
> >On sun there is software sent TCP SYN probe packets
> >with sequence number starts from 1 and increments for each packet.
> >packets sent 1 for 50 mili seconds
> >When packet cross router the sequence number is changed.
> >This change is consistent for one set of packets but is not
> >for subsequent set of packets
> >
> >for example :
> >before cisco after cisco
> >1. TCP syn seq = 1 seq = 1 + x
> >2. TCP syn seq = 2 seq = 2 + x
> >3. TCP syn seq = 3 seq = 3 + x
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>________________________
>
>Priscilla Oppenheimer
>http://www.priscilla.com
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19196&t=18764
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
