Re: Analysis of TCP sequencing

[Derick Siddoway <derick@panther.bitflood.net>]

On Sun, Jun 30, 2002 at 10:22:06PM +0200, Jedi/Sector One wrote:
> On Sun, Jun 30, 2002 at 01:54:41PM -0600, Derick Siddoway wrote:
> > The paper can be found here:
> > http://razor.bindview.com/publish/papers/tcpseq.html
> 
>   This paper is excellent, yet very old. An up-to-date one would be really
> interesting. The procedure is clearly explained, so everybody can help.
> 
> > Note how much improved the algorithm is since 2.8 (and 2.8 wasn't
> > too bad.)  Also note how poor commercial operating systems rate.

I should have written, "poorly".  Argh.

>   Yes, OpenBSD has a very good generator. It was even copied for the Linux
> Grsecurity patch.
> 
>   However, except for trivial incrementations, in a real world, TCP
> hijacking is not that easy to exploit, especially remotely. So although some
> commercial OS seem to behave poorly according to this analys, it doesn't
> mean that anyone can hijack remote TCP sessions in 2 minutes.

That's not the point.  The point is that OpenBSD does things
*correctly*, which happens to result in a more secure system.
This paper is just another indication of OpenBSD's correctness.

-- 
Derick Siddoway      II. Impact    Non-privileged primitive users can
derick@bitflood.net  cause the total destruction of your entire invasion
                     fleet and gain unauthorized access to files.
                     -- CERT Advisory CA-96.13