Slashdot Mirror

← Back to Stories (view on slashdot.org)

Graphing Randomness in TCP Initial Sequence Numbers

Posted by michael on from the winning-lottery-numbers-in-there-somewhere dept.

Saint Aardvark writes "This is neat: Graphic visualization of how random TCP Initial Sequence Numbers really are for different OSs. It's a great way of seeing how secure a TCP stack really is. Cisco IOS is great; OS9, OpenVMS and IRIX aren't. Posted to the ever-lovin' BugTraq mailing list." This is a follow-up to the previous report.

9 of 145 comments (clear)

  1. Original report by Caine · · Score: 5, Informative

    Original report here:

    http://razor.bindview.com/publish/papers/tcpseq.ht ml

  2. Re:I find it interesting by OrangeSpyderMan · · Score: 3, Informative

    You will find the original report here, and you might like to check out the linux section. Credit to a previous poster for that link, however.

    --
    Try NetBSD... safe,straightforward,useful.
  3. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  4. Re:Um, Why no Linux in the report by Clover_Kicker · · Score: 5, Informative
    >Why isn't Linux tested in the report? Its
    >certainly more common than many of the other
    >selections.
    >
    >Should we assume Linux matches *BSD or some other
    >flavor? or do I need to read more carefully :-)

    You need to read more carefully.


    In this section, we review a number of operating systems that were either identified as not satisfactory in the original publication, or were not covered by our research at the time. Several systems, such as Linux, use the same, satisfactory ISN generator as the one used a year ago, and because of that, are not covered here in any more detail.
  5. Mirror in case of further slashdotting by vidnet · · Score: 2, Informative
    I got through fairly easily, but just in case it gets worse, Here's a mirror.

    It's just a 133mhz netbsd box on a home adsl line though, but I figured the more the merrier.

  6. Re:What about home router sequence numbers? by Anonymous Coward · · Score: 1, Informative

    Heh...

    Most of them have constant or +1 ISNs. Some advanced ones have +64k.

  7. Re:Linux?? by raynet · · Score: 4, Informative

    If you read the article is says:

    3. New evidence In this section, we review a number of operating systems that were either identified as not satisfactory in the original publication, or were not covered by our research at the time. Several systems, such as Linux, use the same, satisfactory ISN generator as the one used a year ago, and because of that, are not covered here in any more detail.
    --
    - Raynet --> .
  8. Re:What about home router sequence numbers? by mkettler · · Score: 3, Informative

    Agreed, such devices tend to have poor ISNs, but then again, they are for home use, and the ports they serve only respond on the INSIDE. Outbound traffic passes thru with more-or-less the same ISN it started with.

    Unless you don't trust people on your home lan, it's not much of an issue. Yes, it should be done right, but the only people that can exploit this are those within your network. If they are in your home, they can do much worse than hijack your session as you configure the router.

    As for outbound traffic, if you connect to an outside website from an inside PC, it uses the ISN that the PC generated and doesn't change it or adds some simple fixed constant. It still retains all of the entropy of the original PC's ISN. Nobody from the outside should be able to connect to the configuration server in the "DSL router" device. Hence, nobody from the outside really sees the poor entropy of the DSLRouter's ISNs.

    Only higher-end firewall products, ie: the cisco PIX, attempt to mangle the ISN generation as they translate hosts. Most of the simple products do not, and certianly none of the $100 DSL routers do.

    Also good ISN generation is actualy important to more "commercial" grade routers, since these devices are sometimes deployed and administered remotely, generate tunnels, etc. Thus these routers/firewalls sometimes have exposed ports, or exposed client traffic on a public network as they are being reconfigured.

    Of course, many are only configured localy, or over a local LAN, which makes the risk a lot lower, but also users on corprate lans are generaly less trusted than those in your own home.

    --
    -Matt
  9. Re:Understanding Randomness by Graff · · Score: 3, Informative

    The main problem is that this may not be as random as you may think. Many of these "random" fluctuations are actually fairly non-random, relating to electromagnetic fields around the circuit. So what may seem random one moment can become very non-random the next as the conditions around the circuit change. That being said, these kind of circuits could possibly serve as seeds to a random number generator. However, I'm unsure if it would be better to have a regular, dependable seed device such as a clock, or to have a semi-random, unreliable device such as the circuit you have proposed.

    --
    Sapere aude!