Forgot your password?
typodupeerror
Security

Graphing Randomness in TCP Initial Sequence Numbers 145

Posted by michael
from the winning-lottery-numbers-in-there-somewhere dept.
Saint Aardvark writes "This is neat: Graphic visualization of how random TCP Initial Sequence Numbers really are for different OSs. It's a great way of seeing how secure a TCP stack really is. Cisco IOS is great; OS9, OpenVMS and IRIX aren't. Posted to the ever-lovin' BugTraq mailing list." This is a follow-up to the previous report.
This discussion has been archived. No new comments can be posted.

Graphing Randomness in TCP Initial Sequence Numbers

Comments Filter:
  • Original report (Score:5, Informative)

    by Caine (784) on Wednesday September 11, 2002 @08:22AM (#4236132)
    Original report here:

    http://razor.bindview.com/publish/papers/tcpseq.ht ml [bindview.com]
  • by OrangeSpyderMan (589635) on Wednesday September 11, 2002 @08:28AM (#4236153)
    You will find the original report here [bindview.com], and you might like to check out the linux section. Credit to a previous poster for that link, however.
  • by chrisbolt (11273) on Wednesday September 11, 2002 @08:32AM (#4236166) Homepage
    I got part of it mirrored [66.28.104.15] before it went down.
  • by Clover_Kicker (20761) <clover_kicker@yahoo.com> on Wednesday September 11, 2002 @08:33AM (#4236171)
    >Why isn't Linux tested in the report? Its
    >certainly more common than many of the other
    >selections.
    >
    >Should we assume Linux matches *BSD or some other
    >flavor? or do I need to read more carefully :-)

    You need to read more carefully.


    In this section, we review a number of operating systems that were either identified as not satisfactory in the original publication, or were not covered by our research at the time. Several systems, such as Linux, use the same, satisfactory ISN generator as the one used a year ago, and because of that, are not covered here in any more detail.
  • by vidnet (580068) on Wednesday September 11, 2002 @09:05AM (#4236300) Homepage
    I got through fairly easily, but just in case it gets worse, Here's [homelinux.net] a mirror.

    It's just a 133mhz netbsd box on a home adsl line though, but I figured the more the merrier.

  • by Anonymous Coward on Wednesday September 11, 2002 @10:03AM (#4236840)
    Heh...

    Most of them have constant or +1 ISNs. Some advanced ones have +64k.
  • Re:Linux?? (Score:4, Informative)

    by raynet (51803) on Wednesday September 11, 2002 @10:04AM (#4236845) Homepage

    If you read the article is says:

    3. New evidence In this section, we review a number of operating systems that were either identified as not satisfactory in the original publication, or were not covered by our research at the time. Several systems,
    such as Linux, use the same, satisfactory ISN generator as the one used a year ago, and because of that, are not covered here in any more detail.
  • by mkettler (6309) on Wednesday September 11, 2002 @10:51AM (#4237371)
    Agreed, such devices tend to have poor ISNs, but then again, they are for home use, and the ports they serve only respond on the INSIDE. Outbound traffic passes thru with more-or-less the same ISN it started with.

    Unless you don't trust people on your home lan, it's not much of an issue. Yes, it should be done right, but the only people that can exploit this are those within your network. If they are in your home, they can do much worse than hijack your session as you configure the router.

    As for outbound traffic, if you connect to an outside website from an inside PC, it uses the ISN that the PC generated and doesn't change it or adds some simple fixed constant. It still retains all of the entropy of the original PC's ISN. Nobody from the outside should be able to connect to the configuration server in the "DSL router" device. Hence, nobody from the outside really sees the poor entropy of the DSLRouter's ISNs.

    Only higher-end firewall products, ie: the cisco PIX, attempt to mangle the ISN generation as they translate hosts. Most of the simple products do not, and certianly none of the $100 DSL routers do.

    Also good ISN generation is actualy important to more "commercial" grade routers, since these devices are sometimes deployed and administered remotely, generate tunnels, etc. Thus these routers/firewalls sometimes have exposed ports, or exposed client traffic on a public network as they are being reconfigured.

    Of course, many are only configured localy, or over a local LAN, which makes the risk a lot lower, but also users on corprate lans are generaly less trusted than those in your own home.

  • by Graff (532189) on Wednesday September 11, 2002 @12:20PM (#4238131)
    The main problem is that this may not be as random as you may think. Many of these "random" fluctuations are actually fairly non-random, relating to electromagnetic fields around the circuit. So what may seem random one moment can become very non-random the next as the conditions around the circuit change. That being said, these kind of circuits could possibly serve as seeds to a random number generator. However, I'm unsure if it would be better to have a regular, dependable seed device such as a clock, or to have a semi-random, unreliable device such as the circuit you have proposed.

You can do more with a kind word and a gun than with just a kind word. - Al Capone

Working...