Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Granquist, Lamont (lamontSCRIPTKIDDIE.ORG)
Date: Sun Mar 18 2001 - 21:27:19 CST
Here's a thought on how to attack TCP ISNs irregardless of the strength of
the PRNG being used:
1. fill the listen() backlog of 32768 connections completely with
connections that have the same ISN (SYN flooding with the same
2. keep guessing reply ISNs and sending ACKs until statistically you
The success of this would come after 2^32 / 2^15 = 2^17 (131,072) guesses
of ACK packets. You'd need to make sure the listen() backlog was kept
full during this whole time.
1. I'm not sure what happens when you SYN flood with packets that
have the same ISN -- you may not generate 32768 table entries.
2. Do you even need to worry about the ISN that you sent in the SYN
packet? I can't remember if we need to remember this or not, its been
a year or two since I've torn apart TCP connections at this level...
3. SYN cookies?
4. Anything that can take entries out of the listen() queue.
I need hit Stevens a bit more to refresh my memory and answer these
questions, but I thought I'd throw this out there.
(And obviously this is all inspired by trying to figure out what Newsham's
attack against TCP ISNs is...)
I rolled up a little bit of perl to monte carlo simulate this and confirm
that it would take about 2^17 tries to succeed. I haven't actually tried
this against a target TCP/IP stack though...