Re: [fw-wiz] Firewalls that generate new packets..

To be honest I was not assuming on or off a shared network for this
scenario, I just hadn't considered it one way or the other.

Shared and unshared mean less and less anyways... with semi-automated
tools like Caine and Abel, and my favorite Dsniff (quick plug for it
"dsniff is a collection of tools for network auditing and
penetration testing" that automates MITM attacks, shows the
ineffectiveness of depending on switches (vs hubs) for security,
and more)

But in any case, blind attacks (attacks that take place on the internet
vs. a wan, man, lan, etc.) would still be the majority of the cases,
wouldn't they? A good IDS will find a local MITM attack such as
the ones we are discussing, unless it is also blind (iow they don't
do any arp poisoning/mac spoofing). Then, yes we would be left
depending on the random # generation of the OS and the lack of
brute force of the hacker.

RFC1948, which most OSes seem to ignore, would make it much much
more difficult even with only mediocre randomness. It advocates
one-way MD5 hashes....

The seminal paper on this would probably be "Strange Attractors
and TCP/IP Sequence Number Analysis", the update to which is

This is good reading--it compares many OSes randomness with
respect to tcp sequence numbers, posits the brute force
necessary to hack them, and does so in a very readible

One crucial part of it is "Current Risks of tcp/ip spoofing"


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Paul
D. Robertson
Sent: Thursday, November 29, 2007 11:40 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewalls that generate new packets..

On Thu, 29 Nov 2007, Darden, Patrick S. wrote:

You're assuming a blind attack, a very dangerous assumption. Even with a
blind attack, you're assuming that (a) the attacker's prediction efforts
are stymied by hard-to-predict sequence numbers and (b) the attacker
(or defender) lacking enough bandwidth to brute force the sequence number
or the likey sequence number space.

I am not assuming a blind attack. I was positing an example situation
that highlighted the importance of TCP sequence numbers. Please do not
put words in my mouth.

But the predictability of ISNs are only important in blind attacks- if the
attacker can sniff the ISNs, then the sequence numbers have no
value to a connection under attack as far as I can tell. So if your
scenario doesn't assume a blind attack what am I missing?

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."

firewall-wizards mailing list
firewall-wizards mailing list

Relevant Pages

  • Re: [Full-disclosure] info on ip spoofing please
    ... in that TCP sequence attack my original point is still not clear to me. ... >>Network Security Analyst ...
  • Re: question about abuse of state tables.
    ... >> The question is about TCP connection with are already in the state table. ... In general, once a TCP ... > checked for correct TCP sequence numbers. ... > reasonably good quality - the attack has been known for a few years. ...
  • Re: New Random Number Generator for encryption
    ... from there it is a fairly standard block cipher ... Do you think this attack will work? ... I am ignorant and my knowledge about differential analysis is very poor. ... rearrange initial sequence and extract sub sequences. ...
  • Re: [Full-disclosure] info on ip spoofing please
    ... Markoff must have found a way to locate 2 computers conversing with each ... The attack you are referring to is known as an TCP sequence prediction ... Network Security Analyst ...
  • Harpoon Classic Scenarios
    ... The 75th NEW Harpoon scenario of the year! ... What if China carried out its threat to attack Taiwan? ... from a policy of nuclear brinkmanship. ...