The tcp iss number chosen by the 2.2.2-RELEASE kernel while an improvement over the constant increment version, it is still guessable. Although random() is used, the seed is not updated and so the pseudo random number sequence is essentially published. Fix: The following context diffs use a 32 bit random number that is based on a seed that is not externally visible. (See the comments in tcp_new_iss() for a more detailed explaination.) While this version does technically violate the spec, it doesn't do so in a manner that will impact any current or future implementation. (We've been running a version of this code on our SunOS 4 systems since the early days of ip spoofing.) + rcsdiff -c tcp_input.c RCS file: RCS/tcp_input.c,v retrieving revision 1.2 How-To-Repeat: While we haven't actually written the test program that guesses the next iss, given access to the kernel source it is only an exercise.
<<On Wed, 23 Jul 1997 16:49:14 -0700 (PDT), leres@ee.lbl.gov (Craig Leres) said: > The following context diffs use a 32 bit random number that > is based on a seed that is not externally visible. (See > the comments in tcp_new_iss() for a more detailed explaination.) > While this version does technically violate the spec, it > doesn't do so in a manner that will impact any current or > future implementation. (We've been running a version of > this code on our SunOS 4 systems since the early days of > ip spoofing.) If you go to this extreme, you might as well just use the in-kernel secure random number generator instead. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick
State Changed From-To: open->feedback I will close this instead with a proper close message.
State Changed From-To: feedback->closed This has been made stronger in 2.2-STABEL, 3-STABEL, 4-STABEL and current. From the cvs log: Revision 1.81 / (download) - annotate - [select for diffs], Fri Sep 29 01:37:19 2000 UTC (4 weeks ago) by kris Branch: MAIN Changes since 1.80: +2 -2 lines Diff to previous 1.80 (unified) Use stronger random number generation for TCP_ISSINCR and tcp_iss. Reviewed by: peter, jlemon
MARKED AS SPAM