Re: tcp vulnerability? haven't seen anything on it here...

From: Horst von Brand
Date: Thu Apr 22 2004 - 12:41:15 EST

alex@xxxxxxxxxxxx said:
> > > > Unless i misunderstood: You need someone/thing to see about 64K
> > > > packets within a single flow to make the predicition so the attack
> > > > is succesful. Sure to have access to such capability is to be in a
> > > > hostile path, no? ;->
> > > No, you do not need to see any packet.

> > Ok, so i misunderstood then. How do you predict the sequences without
> > seeing any packet? Is there any URL to mentioned paper?

> You don't - just brute-force the tcp 4-tuple and sequence number. The
> attack relies on the fact that you don't have to match sequence number
> exactly, which cuts down on the search-space. (If total search space is
> 2^32, rwin is 16k, effective attack search space is 2^32/16k). Multiplied
> by number of ephemeral ports, it becomes *feasible* but still not very
> likely.

If everybody (or at least the bigger knots) filters spoofed traffic, this
ceases to be a problem. And that solves a shipload of other problems, so...

If the cracker has access to the connection between routers (quite unlikely
for BGP), there is other, lower-hanging, fun to be had... and in that case
they can just read the exact data from the stream, no guessing needed at
all. And no protection possible either AFAICS.
Dr. Horst H. von Brand User #22616
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at