From owner-freebsd-stable  Thu Nov  2 21:54:45 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177])
	by hub.freebsd.org (Postfix) with ESMTP id D087B37B4C5
	for <stable@FreeBSD.ORG>; Thu,  2 Nov 2000 21:54:40 -0800 (PST)
Received: (from kris@localhost)
	by citusc17.usc.edu (8.11.1/8.11.1) id eA35uUm26981;
	Thu, 2 Nov 2000 21:56:30 -0800 (PST)
	(envelope-from kris)
Date: Thu, 2 Nov 2000 21:56:28 -0800
From: Kris Kennaway <kris@FreeBSD.ORG>
To: Lauri Laupmaa <mauri@aripaev.ee>
Cc: "'stable@freebsd.org'" <stable@FreeBSD.ORG>
Subject: Re: TCP sequence prediction on freebsd
Message-ID: <20001102215628.A26935@citusc17.usc.edu>
References: <8E67E032AD23D4118F740050042F21F771@lant.mbp.ee>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <8E67E032AD23D4118F740050042F21F771@lant.mbp.ee>; from mauri@aripaev.ee on Thu, Nov 02, 2000 at 11:41:11PM +0200
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 02, 2000 at 11:41:11PM +0200, Lauri Laupmaa wrote:
> > The answer still stands.  The difficulty to predict TCP=20
> > sequence numbers
> > must be raised as high as we know how to.  The tools=20
>=20
> So here we go again:
> Is it possible to raise the difficulty with some obscure kernel parameter=
 or
> some sysctl ?

TCP sequence numbering now uses the arc4random() function which is
cryptographically resistant to prediction.

Each new connection the sequence number gets incremented by a random
value between 0 and 65536, and each second we increment by a fixed
amount + a random value between 0 and 256k (average of 128k).

Previous versions used a random number generator which was in fact
predictable:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.=
asc

Kris

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjoCU4wACgkQWry0BWjoQKX81wCg23lLws/0i9VgyrQuZeGLWmSQ
qQYAnRBdoWbCTRBjbRAtVZau5wa+5VLe
=TqjF
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message