Slashdot Mirror
TCP/IP Sequence Number Analysis
johnwbyrd writes "Upon connection via TCP/IP to a host, the host generates an Initial Sequence Number (ISN). It's important to design ISN generation sequences so remote attackers can't predict an ISN (this is called a "blind spoofing" attack). Using phase space analysis you can check the quality of ISNs generated on various OSes. Windows 98's graph is quite pretty."
http://216.239.39.100/search?q=cache:sJUlrsbgsJ4C: razor.bindview.com/publish/papers/tcpseq.html+&hl= en&ie=UTF-8&e=619
You know you can't copy-and-paste google cache links, right? That one doesn't work, at least, and it's never worked for me.
using namespace slashdot;
troll::post();
Let's see. Mitnick used this what, 8 years ago now? That's how he got into that guy's login session that was pre-existing between the two machines, or something to that effect.
Plus, various folks were using this on big IRC networks after that, but still many years ago.
That "emmanuel-" in #2600 that says he gave the subscription list to the FBI and ran over Walter was a spoof. So was billg in #windows95. That's just the tip of the iceberg.
Everything old is new again.
Maybe because it's the OS family used by the vast majority of people, regardless of suckage?
"Oh no... he found the
Here is the correct Google cache:
: razor.bindview.com/publish/papers/tcpseq/print.htm l
http://216.239.51.100/search?q=cache:pIKhdPlNqPYC
wasn't this already posted here like a year ago?
Oops didn't know that. My first time giving this advice. Well for everyone, just goto www.google.com and type in the address:
. ht ml
http://razor.bindview.com/publish/papers/tcpseq
Then just click on the "Cached" link in the results page.
eTrade SUCKS
Pictures are bettererer.
r azor.bindview.com/publish/papers/tcpseq.html
http://web.archive.org/web/20020124085843/http://
Keep in mind it's still remarkably hard to spoof with each successive packet, even if you can predict sequence numbers.
The first is easy, the second likey, the third less likely, and so on. Spoofing a long conversation would be very difficult, if not practically impossible.
Windows NT4 SP3
Attack feasibility: 97.00%
Operating system: Windows 98 SE
Attack feasibility: 100.00%
Operating system: Windows 95
Attack feasibility: 100.00%
Fault loves the past, worry loves the future, but content enjoys the present.
Why doesn't Slashdot cache pages, images and linked pages (and their images) 1 level deep before posting a link?
/. effect is getting stronger than ever. I just hope none of these sites pay for bandwidth.
/.ing fix could be easily done, just put the code into slash, do it on the fly.
I know this isn't really quite on (this) topic, and it has been said before, but the
This
-twb
Now what does that tell us about the majority of people.. but you already knew that..
Comment removed based on user account deletion
Ok, I've mirrored the HTML and most of the images(still downloading) HERE. Please only download this to mirror it! My bandwidth is limited!
Yeah, the bozos that created page put the entire report, with some 40-50 embedded images on one page. So everyone that hits the things tries to pull down many megs if image files all at once.
:)
To summarized the report. Unpatched versions of NT4 and Windows 95/98SE are the most vunerable to spoofing attacks because of predictable patterns, or attractors, in the sequence produced by the random number generator used for ISNs. Linux,OpenBSD and FreeBSD scored near the top, though the report says there is room for improvement. Windows 2000, MacOSX, IRIX and BSDI were in the middle of the pack. HPUX and AIX were just as bad as windows 98.
So we have out prototypical 'windows less secure than linux' submission and the slashdotters are happy
-josh
I wonder how it came to be that you didn't publish the only meaningful indications of Microsoft's security? Oh, I know. It's because they are about 1/6th as bad as the outdated versions you impartially decided to cite.
http://web.archive.org/web/20010605064202/http://r azor.bindview.com/publish/papers/tcpseq/funct.jpg / r azor.bindview.com/publish/papers/tcpseq/mix.jpg
h ttp://web.archive.org/web/20010605045958/http://r azor.bindview.com/publish/papers/tcpseq/mix2.jpg
http://web.archive.org/web/20010605035655/http://r azor.bindview.com/publish/papers/tcpseq/linux.jpg / r azor.bindview.com/publish/papers/tcpseq/win2k.jpg / r azor.bindview.com/publish/papers/tcpseq/winnt.jpg / r azor.bindview.com/publish/papers/tcpseq/win95.jpg / r azor.bindview.com/publish/papers/tcpseq/win98.jpg / r azor.bindview.com/publish/papers/tcpseq/cisco2.jpg / /r azor.bindview.com/publish/papers/tcpseq/cisco.jpg / r azor.bindview.com/publish/papers/tcpseq/aix.jpg
h ttp://web.archive.org/web/20010605063344/http://r azor.bindview.com/publish/papers/tcpseq/freebsd.jp g: //r azor.bindview.com/publish/papers/tcpseq/openbsd.jp g: //r azor.bindview.com/publish/papers/tcpseq/obsdnew.jp g: //r azor.bindview.com/publish/papers/tcpseq/hpux11.jpg / /r azor.bindview.com/publish/papers/tcpseq/sol7.jpg
http://web.archive.org/web/20010605062854/http://r azor.bindview.com/publish/papers/tcpseq/sol8.jpg
http://web.archive.org/web/20010605055059/http://r azor.bindview.com/publish/papers/tcpseq/sol2.jpg
http://web.archive.org/web/20010605060640/http://r azor.bindview.com/publish/papers/tcpseq/sol2ip.jpg / /r azor.bindview.com/publish/papers/tcpseq/bsdi.jpg
http://web.archive.org/web/20010605070105/http://r azor.bindview.com/publish/papers/tcpseq/irix.jpg
http://web.archive.org/web/20010605042650/http://r azor.bindview.com/publish/papers/tcpseq/macos1.jpg / /r azor.bindview.com/publish/papers/tcpseq/macos.jpg / r azor.bindview.com/publish/papers/tcpseq/dnslibc.jp g: //r azor.bindview.com/publish/papers/tcpseq/dnswin.jpg / /r azor.bindview.com/publish/papers/tcpseq/dnssol.jpg / /r azor.bindview.com/publish/papers/tcpseq/comp.jpg
http://web.archive.org/web/20010605053816/http://r azor.bindview.com/publish/papers/tcpseq/random.jpg / /r azor.bindview.com/publish/papers/tcpseq/data.jpg
http://web.archive.org/web/20010605044549/http://r azor.bindview.com/publish/papers/tcpseq/mix.jpg
h ttp://web.archive.org/web/20010824145421/http://r azor.bindview.com/publish/papers/tcpseq/linc.jpg
http://web.archive.org/web/20010605064500/http://r azor.bindview.com/publish/papers/tcpseq/ttime.jpg
http://web.archive.org/web/20010605044549/http:/
http://web.archive.org/web/20010605064823/http:/
http://web.archive.org/web/20010605040907/http:/
http://web.archive.org/web/20010605070134/http:/
http://web.archive.org/web/20010824220456/http:/
http://web.archive.org/web/20010605051434/http:/
http://web.archive.org/web/20010828165152/http:
http://web.archive.org/web/20010604211355/http:/
http://web.archive.org/web/20010605052241/http
http://web.archive.org/web/20010605050747/http
http://web.archive.org/web/20010605064736/http
http://web.archive.org/web/20010605061712/http:
http://web.archive.org/web/20010605044904/http:
http://web.archive.org/web/20010605041254/http:
http://web.archive.org/web/20010605054335/http:/
http://web.archive.org/web/20010605061755/http
http://web.archive.org/web/20010605060741/http:
http://web.archive.org/web/20010605051819/http:
http://web.archive.org/web/20010605053140/http:
Remove the spaces, copy-and-paste. We don't want to take the Internet Archive down, as well.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Comment removed based on user account deletion
Yeah.
Only a use of this attack is to get around IP filters, or to hide the origin of a communication.
And you can't receive data.
So attack is feasible.. but not that useful.
It's running Microsoft-IIS/4.0 on NT4/Windows 98 - so what do you expect?
Video Game cheats, hints a
This is the first section:
Table of Contents:
0. Abstract
1. Introduction
1.1 TCP Sequence generation and PRNGs
1.2 Spoofing Sets
2. Phase Space Analysis, Attractors and ISN Guessing
2.1 Introduction to Phase Space Analysis
2.2 Using Attractors for Spoofing Set Construction
2.3 Real-Life Attack Algorithms
3. Review of Operating Systems
3.1 Linux
3.2 Windows
3.3 Cisco IOS
3.4 AIX
3.5 FreeBSD and NetBSD
3.6 OpenBSD
3.7 HP/UX
3.8 Solaris
3.9 BSDI
3.10 IRIX
3.11 MacOS
3.12 Multiple Network Devices
3.13 Other PRNG issues
4. Risk Analysis
5. Conclusions
6. References
7. Credits
Appendix A: Phase Space Images of Known Generating Functions
Hopefully now only people who want to read it will click on the link!
Video Game cheats, hints a
Read the FAQ ...
Switch back to Slashdot's D1 system.
More than that, this is a good reason why having only one major OS cannot be secure. If you can write an extremely good sequence number predictor for Windows 2000 sessions and get yourself a few nice deer stands on the periphery of the backbone (or heck, in the backbone - I'm not sure how feasible that is), you can 0wn the majority of corporations you're interested in attacking.
Personally, I think Bush's Department of Homeland Defense is going to be a complete crock if nothing is done about this and other computer security issues. I can't figure out if none of Dubya's advisors understand computers or if they are so full of it as to actually think, for whatever reason, that nobody would ever attack the US electronically. I have a feeling it's the latter being caused by the former, though. . .
Which would provide somewhat random ISNs. What we are seeing here is the fact that compuers today are faster than they where twenty years ago, and thus better random (or psuedo-random) ISN generators are needed. Still it's nice to see vendors getting called out on bad implementations.
"In my values, freedom is more important than 'serving users' in a mere practical sense." -- RMS
it was here.
:wq
And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.
well, to be honest, it's not the most uptodate thing in the world. the freebsd tested was 4.2. and there have been significant improvements in tcp sequencing since then (being as we're at 4.6 now) and there is even a kernel compilation flag for random sequences.
so it's probably a year out of date, don't feel so singled out
dave
This report was published over a year ago, examining vulnerabilities that have been well-understood for >6 years. How is this news?
It might be useful if it was up to date, however as it stands most of the OSes listed there have had non-trivial revisions and new releases since then: WinXP isn't mentioned; Linux testing is limited to some version of 2.2, with no mention of 2.4; it refers to OpenBSD 2.9 coming out "soon" (3.1 is now available); OS X has had many major improvements since its first release; etc.
I'll be the first to admit that some of that articale was a little beyond me at this time. However, for anyone running a server, it would seem that OpenBSD still is the best choice for anything on the 'net. OpenBSD had the best TCP/IP random number generation (recently re-written). It has also been developed with security in mind. After about 4 years of linux experience it took me an hour to get an openbsd machine running, natting, and pf'ing. It was really that simple - as long as you have the experience. Want httpd installed? "make install" in the ports directory.
What really suprised me in this article is that some of the commercial unices were so poor in their implementation. Solaris was only secured after tweaking, Mac OS X, while not 100% attackable, still wasn't much better. Same for IRIX and AIX. I didn't notice version numbers however, does anyone know if the state has changed for newer version of IRIX? It was also disappointing the the 2.2 series kernel was used - have things changed in 2.4? If not, is there work being done in 2.5/6 ?
And if anyone has ANY insight as to why Window98 is much worse than windows95 I'd love to hear it.
S.t.e.v.e.
All the pictures are included in this pdf mirror: http://www.mirrors.wiretapped.net/security/info/pa pers/networking/strange-attractors-and-tcpip-seque nce-number-analysis.pdf [1MB].
It doesn't display correctly with my version of KDE's PS/PDF Viewer, but good old ghostview works great.
HIV Crosses Species Barrier... into Muppets
He didn't say insecure, but just that win98 makes a pretty graph...
And it does, really! (Although I think Cisco IOS 12.0 makes an even prettyer one).
Relax Bill, we're not out to get you....
Mirror: http://ralph.cx/tcpseq/
Im missing 3 images... for now...
Cybie! aka Ralph Bonnell
The author should be hit with a stick.
Hard.
Several times.
There is a standard definition for an attractor in mathematics.
If the author wants to use mathematics, then he should use the well-agreed mathematical definitions and not vague pseudo-mathematical babble.
And yes, I am a mathematician.
What they basically do is to guess the (internal) dimension of the system and trying to get non-trivial attracting set out of it. It's a rather trivial fact that if you get both things right, you can attack the PRNG. However, a decent PRNG won't have any non-trivial attractors.
Owner of a Mensa membership card.
The article is not trying to report the idea of predicting the ISN as a new vulnerability.
The goal of the article is to compare how vulnerable various current operating systems are to this type of spoofed ISN attack. It discusses phase space analysis as a worthy means of doing this, and then the article presents handy feasibility charts and pretty pictures.
So please, let's have no more posts discussing how this attack is really old, man. I think most people here know this already.
1. Sensationalism
"OMG Someone can guess the ISN number, We are all on our way to destruction"
2. Geekiness
"Wtf is an ISN number"
3. M$ Bashing (Note the $ $ign it means I dissaprove of Microsofts Money Grubbing Ways (TM) [OMG another funny!!])
... at http://www.mirrors.wiretapped.net/security/info/pa pers/networking/strange-attractors-and-tcpip-seque nce-number-analysis.pdf
hardcode
--
It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
a half a pack of cigarettes, it's dark, and we're wearing visors. Engage.
- Paul Tomblin in asr
You mean, like this improvement?
Seriously, the post was entitled "for those wondering how insecure Microsoft is", not "for those wondering how Microsoft stacks up against other systems" which, as you point out, would indicate that consumer OSes are pathetic, while 'professional' OSes like NT and 2000 are making modest improvements, and that while the *BSDs are pretty good, and GNU/Linux quite good, there are plenty of older UNIX implimentations that were quite poor, and even pathetic, as well, not to mention CISCO, which makes up much of the internet backbone.
But, since Microsoft is conducting a wholesale attack on our very freedom of choice through it Palladium and DRM efforts, pointing out additional, purely technical reasons for moving away from Microsoft to *BSD and GNU/Linux alternatives and thereby protecting your security as well as your freedom isn't such an ignoble thing to be doing at all.
The Future of Human Evolution: Autonomy
There are two reasons why Slashdot doesen't cache liked pages:
1) I could very well be illegal without obtaing permission from a human. This would take too much time away from CmdrTaco adding spelling errors to my posts.
2) It would costs money in bandwidth costs. VA Software coporate officers love to roll naked in freshly minted $1 bills, and this would take away from their stash. Then only, one officer could roll at a time. Not a happy thing.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
You have to remove the spaces that slashdot puts in because some genious months ago figured out this thing called a "page-widening post." About the most annoying thing I've ever seen, really.
SIG: HUP
the reason you had a relatively easy time with the mac is not because of it's security. it 's because of it's relative obscurity. people don't find it worthwhile to hack a mac, don't know how, and don't care to... etc. Things might change now that the hacking methods are a little closer than they used to be (now 30 years of unix hacking knowledge may be applied) however, MacOS classic wasn't even included in teh final score (the little rainbow graphic) for some reason, however they do state in the text that MacOS X scored a little higher than it. Take that as you will.
OpenBSD _2.8_ was fairly bad in the test... but that's a pretty old version... as they say the CURRENT at that time was much better... and I think that is incorporated in the newer OpenBSD releases.. (as in at least 3.x)
Ner lbh sebz gur HFN? Gura lbh'ir whfg ivbyngrq gur QZPN!
and even though they put in the spaces, there are still page widening posts. ever browse at -1?
And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.
So your saying when they ganked the FreeBSD network stack w/o even a tip of the hat, they improved thier non-existant security?
Wow, who'da thunk.
I live in a giant bucket.
Actually this is a case of "You Get What You Don't Pay For" -
HPUX, Windows and AIX are all expensive and suck.
Linux, OpenBSD, FreeBSD are all free and work wonderfully.
So in this case, your level of protection is determined by your inteligence and not by the amount of money you sepend.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
what a lame job of baiting... better, right?
are there 100s of thousands of old windows boxes
with lame tcp/ip or are people running hpux on
their dsl and cable modem boxes now?
Obviously this is not the case, or Google and other businesses that are caching web sites would be out of business by now. Caching web proxies would not be so common, instead we have never heard of a legal attack against a caching web proxy. This excuse is without merit.
The FAQ also gives this as a reason:
But this is such an easily solved problem, this must also be a dishonest excuse. Even updating the cache once per minute would not unduly load the victim sites. Using standard proxy software like Squid would completely solve this problem.
Surely in the 2 years since this question has been answered, CmdrTaco has had time to work on the solution to this. This is his full time job. Not much effort is being spent on the development of the software that runs the site, and certainly with the number of editors and how sloppily it is done, this can not be taking more than an hour per day per editor, if that. There is no original content, it is all submitted. As a LNUX shareholder, I wonder what these guys really do all day.
Is it just me, or do these pictures look just like the X-ray defraction of a crystal? I suppose it goes to show the symmetry in the universe.
The dogcow says "Moof!"
I guess the end run around any preceived problems on CmdrTaco's part would be to just provide links to Google's cache.
A certainly agree with you..
Considering that there are several full-time people working (and being paid) on Slashdot, I find it rather odd that that hasen't been a solution forthcoming to this common problem.
It could be a case of burn-out, but I suspect general lazyness.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
This is not true. Your location on the network does not matter if you are worried about sequence number prediction. If you are positioned so that you can see the traffic both ways, you do not need to predict sequence numbers. And, all but the most insecure networks are vulnerable to attacks from the internet solely based on a spoofed IP address. No major US corporation is going to have a hole like that these days - they at least realize that securing the outside of the firewall is important. If there were such a hole, the intelligence necessary to find out about its existance and the address to use would take about the same effort to obtain as other more practical ways into the network.
Everybody realized to be afraid of IP-address based authentication after the widely publicized IP spoofing attacks.
Personally, I think Bush's Department of Homeland Defense is going to be a complete crock if nothing is done about this and other computer security issues.
The US government actively attacks computer securitiy. This is a problem that can be totally solved with strong encryption. Who is the biggest opponent in the world to ubiquitous strong encryption?
I wonder how it came to be that you didn't publish the only meaningful indications of Microsoft's security? Oh, I know. It's because they are about 1/6th as bad as the outdated versions you impartially decided to cite.
That may be, but probably isn't, true.
If you read the article carefully you'll notice that the versions of *BSD and the Linux kernel (2.2.x) are also outdated. This isn't some neferious plot to diss Microsoft (hell, that isn't all that hard to do with cold, hard, factual data in the first place, so there is no need for anyone to cook the data, least of all this study), it is a result of the fact that research and study take time.
I'm sure if the author had looked at Linux 2.4.x and current versions of the BSDs the results would have been significantly better (Mac OS X as well, being a BSD derivative).
As for whether or not the various Windows versions would have been better, that is an assumption we really cannot make. Not for any prejudicial reasons, but because historically they generally haven't always improved, and indeed on at least one occasion (95->98) got considerably worse. We can hope that the security of Windows 2k has improved since then, but there is no real historical precendence to support that hope, in contrast with most other competitors products including the BSDs and Linux products cited here.
The comparison was fair: it was a snapshot of the state of the art taken a couple of years ago, then studied and analized in detail over those past two years. This is how every study that bases itself on factual research works, as opposed to corporate marketing drivel purchased to look like research, as has come from the Microsoft camp on numerous occasions in the last couple of years, and has in every case been thoroughly, and utterly obliterated in public rebuttal.
The Future of Human Evolution: Autonomy
Why not start looking for a better job instead of bitching and whinning on slashdot all day.
Try finding, especially in this depressed economy, an IT job that does not require you to use Microsoft software at least sometimes. I would estimate that this describes less than one tenth of one percent of jobs. It is virtually impossible to avoid. Switching jobs is not a solution to this problem.
Predictable ISNs are only a problem against a machine which has been configured to allow another machine privileges based solely on that second's machine IP address. Then pedictable ISNs allow a third machine to 'spoof' it's address, claiming to be the seond machine by using it's IP address, even though the third machine can't see the responses from the first machine, because the third machine doesn't have the IP address it's claiming.
If you don't configure this 'trust' relationship based on IP address alone, this is not an issue.
Example: SSH allows one machine to trust another, but requires that the trusted machine be at the right IP addresss AND posess the correct private key or keys - so no issue.
Any one who, in this time, configures a machine to trust another, based solely on the IP address in the frames received, is crazy. It's a very unwise practice.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
The thing I don't understand is... why do people continue to compare nowadays linux (or IRIX, Solaris, *BSD) etc... to things like Win98, which is _over 4 years_ old by now
The data that was studied for the last two or three years was collected prior to the study commencing, i.e. at least two or three years ago. If you'd bothered to read the paper, you would have noticed that the versions of *BSD and Linux being compared are equally as old (kernel 2.2.x of Linux, for example).
When you conduct a scientific study (not to be confused with the marketing drivel often sold as science and frequently purchased by the likes of Microsoft, and just as frequently disgraced and utterly rebutted a few days later by the scientific community) you collect the data, then you analize the data and draw conclusions from that data. All of that takes time, so any rigorous study conducted is going to be working with data collected at some time in the past.
[opinion]
I'm sure a study will come out showing the appalling weaknesses of Windows XP, but such a study will likely be reviled by Microsoft enthusiasts because, by the time the rigorous work is done, there will be some newer, even more invasive and buggy release of Windows out. That will not, however, make the study any less valid or accurate, any more than it would the study conducted here.
[/opinion]
The Future of Human Evolution: Autonomy
The results are given in the article, and they are ~1/6th as vulnerable. The original poster strangely seemed to read straight past those results though...
Well, I agree to a large extent. But ISN attacks are not really all that common (though from a DoD perspective, they REALLY need to be prevented).
Of course, in general, SSL should prevent these sorts of attacks because the incoming payload would be expected to be encrypted and so it would be non-trivial to input packets into the stream and have them do anything other than DoS. Still a problem but not as much as other issues.
Again, I see this as an issue where competent attackers may be heavily targetting a given system, but it is unlikely to be used by the casual crowd. So the Win 95 and 98 crowd should be relatively safe, while the DoD NEEDS additional protection. Corporate infrastructures are in the middle, and it is probably a good idea to protect them against this sort of attack.
However, it is also a pretty serious refutation of "open source is insecure."
LedgerSMB: Open source Accounting/ERP
Predictable ISNs are only a problem against a machine which has been configured to allow another machine privileges based solely on that second's machine IP address.
Are you willing to bet that this is the *only* kind of attack possible using sequence number prediction? Someone with a sick imagination may find other novel and destructive uses for it.
In fact, I can already think of some...
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Your mom must be very proud linus.
And how many Win98 servers do you find in the wild? Not many... There are still a small handful of NT4 boxen, but most admins moved to at least SP3 if not SP6 by 1998. Windows 2000 and XP don't have the ISN problem. MacOS 8 and MacOS 9 were not meant to be server OS's and were never sold as such.
What's funny? All said and done, very few people are going to try an ISN attack when there are so many easier app level attacks against servers already available.
"OpenBSD had the best TCP/IP random number generation (recently re-written)."
Didn't you question anything when they said 2.2.1x, or OpenBSD 2.8 was "recent"? No? OpenBSD 3.1 is the most recently released one. They've had this for quite a few releases now (didn't you also notice that OpenSSH's default root problem affected OpenBSD 2.9-3.1?). They also had *no* data for Linux 2.4, or Windows XP.
Don't believe me? Scroll down to the bottom of the page where it mentions it was last updated in April 2001.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
why do people continue to compare nowadays linux (or IRIX, Solaris, *BSD) etc... to things like Win98, which is _over 4 years_ old by now
Maybe because lots of people are still using Win98 - for economic reasons, because of a need to support old software needed to access critical data, or because considering microsoft's track record so far we tend to assume that in a few years it will be discovered that XP has even worse holes... Or people just don't like WPA, and assume that it's a future revenue enhancement tool - in a few years when MS has a replacement for XP on the market, their site for XP WPA might suddenly have all sorts of problems until people start giving up and buying a new OS when their systems crash and have to be reloaded.
I agree, comparing Win98 to server OS's like BSD isn't fair - there should be two separate comparisons, desktop to desktop and server to server. I gather that in server software, Win2K isn't bad in comparison to other commercial server products, but the OSS products (Linux and BSD) are far better. So Microsoft's bellyaching about OSS being insecure is proven wrong. (And if Linux has improved that much in the last 4 years, it's another indication that when security becomes important, open source can improve much faster than closed.)
As for comparing desktop to desktop, it's hard to arrange a comparison that everyone would agree is fair. First off, you don't exactly have competing desktop OS's - you have MS which writes desktop OS's and tries to upgrade them to run servers later, and you've got everything else (since Mac OS 9), which are *nix server OS's downgraded to run a desktop. It's something for MS to whine about when they lose. Anyhow, MS's latest desktop (XP Home) might have acquired a good sequence randomizer to plug this one hole, but the default installation apparently opens up a lot of others. I wonder how many other utterly brain-dead decisions like allowing Plug-n-Play to work across the network are not yet revealed...
Comment removed based on user account deletion
The advertisement in your signature points to www.coronahost.com, which claims to be running Microsoft IIS. So I am sure you will agree that while the theoretical discussion is interesting, in the real world there are forces that you simply can not control. The only thing that can be done is to helplessly complain.
Comment removed based on user account deletion
nmap will tell you what the OS is, and give you a rough idea of how hard it would be to use the target's ISN against it.
Uptime 0.811 days (since Sat Jun 29 22:04:58 2002)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2918407 (Good luck!)
IPID Sequence Generation: All zeros
There is very little future in being right when your boss is wrong.
Before everyone goes off about security.
TCP was not designed to be secure. It was designed to ensure data is put back in the proper order at the remote end, and to be able to adjust it's transmission to deal with congestion.
Yes, there is a security issue.... but any security breach through ip spoofing is really a fault of the higher layer application/protocol and NOT of the ability for a tcp session to be spoofed.
The paper talks about a n-dimensional space, but only looks at the 3-dimensional case. It is totaly possible that the picture looks different at other dimensions (even at two), and spoofing works better when you use that as a basis. Which of course doesn't make the others more secure should they have better results at other dimensions - the worst case is still the worst case.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
if you're interested in random ISN's I'd suggest you try the grsecurity patch from grsecurity.
:
it has loads of other interesting functions and the random ISN generator seems to work fine, here's a nmap scan result
TCP Sequence Prediction: Class=random positive increments
Difficulty=4184073 (Good luck!)
TCP ISN Seq. Numbers: BA77562B B9B190FD BA8C8609 BA3DFEB2 BA92DBDB B9BA515C
IPID Sequence Generation: Randomized
Actually, the whole thing is more than a year old! It was primarily published on private page by the researcher. Now that he works for BindView, they "reprinted" it as a company. Nothing new to see here, move along.
The moon is not fully subjugated. I demand a second assault wave preceded by a massive nuclear bombardment.
Care to fill us in?
I'm not usually a paranoid "MS wants to rule the world type" but this is a little too convenient a coincidence to ignore.
That is the most interesting thing i have seen on Slashdot for a long time.
I gots ta ding a ding dang my dang a long ling long
Personally, I think Bush's Department of Homeland Defense is going to be a complete crock if nothing is done about this and other computer security issues.
What are you talking about? It's already a complete crock anyway, and is well on its way to becoming two complete crocks.
Absolutely. It seems that's the only reliable way of doing it anyway. If two nodes behind the firewall both open connections to a web server with the same ISN, whats the firewall to do? Actually, since it's the firewall that opens the connections on the behalf of the nodes behind it, surely code reuse dictates the packet headers have OpenBSD ISNs. Finally, the FAQ on the Netcraft Survey talks about this to explain why some webservers are "Microsoft IIS" running on Linux; what it's really seeing is the ISN characteristics of a linux firewall or load balancer in front of the webserver.
:-D
So I think you're safe
Black holes are where the Matrix raised SIGFPE
See http://www.cert.org/advisories/CA-2001-09.html. Also http://www.kb.cert.org/vuls/id/498440. It has some good background about why this was news at the time. For example, assertions in this thread that ISN prediction doesn't matter if you don't use address-based authentication are just plain wrong, and the advisory tells you why.
Unfortuantely, this is pretty much the same attitude that an unnamed giant software corporation takes as well. If only a few people are going to, then won't they be the people who have the knowledge to take it further? Script kiddies aren't generally harmful (in a big way) because they can't do anything useful.
-JB
"I love deadlines. I love the "whooshing" sound they make as they pass by." - Douglas Adams.
I just read the article you linked to.
It really does scare me, doubly so because I live in a small country (NZ) that is paying huge sums to this foreign vendor that is a convicted monopolist. That money should be going to the local economy. I hope NZ will be able to buy non-palladium-crippled hardware to run alternative OSen.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
While ISN spoofing can be a problem, it really isn't in 99% of the machines in use today.
.rhost or other IP based authentication. Without this, this attack cannot be utilized. Also you need to be able to muzzle the spoofed machine during the attack, much easier a few years ago than today as things like SYN floods are much less effective.
ISN spoofing requires that the target machine runs
In the old days this type of authentication was commonly used, but not much anymore. An the argument about windoz boxes being insecure as ISN spoofing, really doesn't mean a thing since there not going to be running IP based authentication.
It is a fun problem to talk about, but there is much better ways to solve it than tossing compute cycles on strong hashes ala RFC1948.
mycal
If you look at the date on the web page, it's April 2001. Linux 2.2.x was just fine back then :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yeah.. but again, you can't see the response. Same boat as spoofing the connection in the first place.
yes, there are situations where you can do something nasty with it.. but they are rather specific ones, and rely on using unsecure protocols anyway.
TCP was not designed to be secure. It was designed to get packets reassembled in order, and to be able to dynamically change it's transmission properties to deal with congestion.