topic Re: TCP Sequence prediction in Operating System - HP-UX

TCP Sequence prediction

David Connolly — Fri, 10 Jan 2003 15:58:35 GMT

High,

What patches do I need to stop the TCP sequence on my servers being predictable? This is a security vulnerability. I tried a search, but I can't find the exact patch the fixes the issue.

Thanks in advance.

Re: TCP Sequence prediction

James R. Ferguson — Fri, 10 Jan 2003 16:05:20 GMT

Hi:

For 11.0, see PHNE_21767. For 11.11, see PHNE_27063.

Regards!

...JRF...

Re: TCP Sequence prediction

John Poff — Fri, 10 Jan 2003 16:06:59 GMT

Hi,

Try looking at PHNE_26771. Here is a snippet from the patch description [fixed in patch PHNE_26445 which is superseded by PHNE_26771]:

( SR number: 8606213513 ; Defect: JAGad82705 )
Systems relying on random increments for choosing less
predictable TCP ISN values, are still vulnerable to
statistical attacks.

Also, here is a link to a great web site called "Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later ". This site analyzes the TCP/IP sequence numbers for a lot of different operating systems and plots the results as 3D plots. Great stuff!

http://lcamtuf.coredump.cx/newtcp/

JP

Re: TCP Sequence prediction

rick jones — Mon, 13 Jan 2003 18:55:23 GMT

TCP sequence numbers _have_ to be predictable. I suspect you mean TCP _initial_ sequence numbers - ie the sequence number that TCP uses at the beginning of a connection.

There was a recent security bulletin about RFC 1918 support in HP-UX. PHNE_26771 as mentioned by John is the 11.0 patch mentioned in that.

If you are concerned about system security, it would be a really good idea to sign-up for the security notifications:

C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to get to the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

Re: TCP Sequence prediction

Dave Unverhau_1 — Mon, 13 Jan 2003 19:13:07 GMT

Please note that, while PHNE_21767 and PHNE_27063 will increase ISN randomness, this functionality is not turned on in the patch by default. This is because (as I understand it) the increased overhead required by the computations can reduce transport efficiency, so HP included the functionality but didn't want to reduce performance for those folks who don't need the extra ISN randomness.

Here's the relevant text, cut from the patch text for PHNE_27063:

Defect Description:
The RFC 1948 ("Defending against sequence
number attacks") is not supported.

Resolution:
The RFC 1948 is now implemented for computing
TCP ISN values. By default, the support for
RFC 1948 is turned off. It can be turned on by
using the ndd variable, tcp_isn_passphrase
. The secret passphrase can be
of any length, but only the first 32 characters
will be retained. The passphrase, once set, should
not be changed, except possibly at reboot.
For example:
ndd -set /dev/tcp tcp_isn_passphrase "rfc 1948"
will turn on the support for RFC 1948.
( SR:8606213579 CR:JAGad82771 )

I have asked for this info to be added to the special instructions for these patches, but there has been no change so far...

Regards,

Dave

Re: TCP Sequence prediction

David Connolly — Tue, 14 Jan 2003 08:30:20 GMT

Thanks all,

That more than answers my question.