Date: Thu, 2 Nov 2000 21:56:28 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Lauri Laupmaa <mauri@aripaev.ee> Cc: "'stable@freebsd.org'" <stable@FreeBSD.ORG> Subject: Re: TCP sequence prediction on freebsd Message-ID: <20001102215628.A26935@citusc17.usc.edu> In-Reply-To: <8E67E032AD23D4118F740050042F21F771@lant.mbp.ee>; from mauri@aripaev.ee on Thu, Nov 02, 2000 at 11:41:11PM %2B0200 References: <8E67E032AD23D4118F740050042F21F771@lant.mbp.ee>
next in thread | previous in thread | raw e-mail | index | archive | help
--Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 02, 2000 at 11:41:11PM +0200, Lauri Laupmaa wrote: > > The answer still stands. The difficulty to predict TCP=20 > > sequence numbers > > must be raised as high as we know how to. The tools=20 >=20 > So here we go again: > Is it possible to raise the difficulty with some obscure kernel parameter= or > some sysctl ? TCP sequence numbering now uses the arc4random() function which is cryptographically resistant to prediction. Each new connection the sequence number gets incremented by a random value between 0 and 65536, and each second we increment by a fixed amount + a random value between 0 and 256k (average of 128k). Previous versions used a random number generator which was in fact predictable: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.= asc Kris --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoCU4wACgkQWry0BWjoQKX81wCg23lLws/0i9VgyrQuZeGLWmSQ qQYAnRBdoWbCTRBjbRAtVZau5wa+5VLe =TqjF -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001102215628.A26935>