Date: Fri, 31 Jan 1997 17:02:06 +1100 (EST) From: proff@suburbia.net To: danny@hilink.com.au (Daniel O'Callaghan) Cc: hackers@freebsd.org Subject: Re: TCP sequence numbers Message-ID: <19970131060207.15590.qmail@suburbia.net> In-Reply-To: <Pine.BSF.3.95.970131111755.542Y-100000@skylark.hilink.com.au> from Daniel O'Callaghan at "Jan 31, 97 11:20:11 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> The code below is taken from sys/netinet/tcp_seq.h in 2.2-ALPHA. It is > not present in 2.1.5. > > That should indicate that TCP sequence number guessing attacks have been > significantly stomped on. More knowledgeable people please correct me. > > /* > * Increment for tcp_iss each second. > * This is designed to increment at the standard 250 KB/s, > * but with a random component averaging 128 KB. > * We also increment tcp_iss by a quarter of this amount > * each time we use the value for a new connection. > * If defined, the tcp_random18() macro should produce a > * number in the range [0-0x3ffff] that is hard to predict. > */ > #ifndef tcp_random18 > #define tcp_random18() ((random() >> 14) & 0x3ffff) > #endif > #define TCP_ISSINCR (122*1024 + tcp_random18()) > > extern tcp_seq tcp_iss; /* tcp initial send seq # */ > #else > #define TCP_ISSINCR (250*1024) /* increment for tcp_iss each second */ > #endif /* KERNEL */ > #endif /* _NETINET_TCP_SEQ_H_ */ This is insecure against more sophisticated attacks. Linear congruential generators leak internal state, and this one does so badly. See my patch. Cheers, Julian <proff@iq.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970131060207.15590.qmail>