Operating System - HP-UX
1830242 Members
2149 Online
109999 Solutions
New Discussion

TCP/IP Sequence Number Analysis - One Year Later

 
SOLVED
Go to solution
Mark Greene_1
Honored Contributor

TCP/IP Sequence Number Analysis - One Year Later

A study was done a year ago to graphically map the initial TCP/IP sequence numbers used by various OS's to show randomness and to predict the probablity of being able to do tcp spoofing. The study has been done again to reflect updates and fixes based on a CERT notification and a new RFC for generating TCP ISN's:

http://lcamtuf.coredump.cx/newtcp/

According to the study, HP actually got a little worse with their fix.

How many people here have the patch (PHNE_26771) installed, and how many do not?

--
Mark
the future will be a lot like now, only later
7 REPLIES 7
Pete Randall
Outstanding Contributor

Re: TCP/IP Sequence Number Analysis - One Year Later

Mark,

I don't have it.

Pete

Pete
Sean OB_1
Honored Contributor

Re: TCP/IP Sequence Number Analysis - One Year Later

Not installed here.
Vicente Sanchez_3
Respected Contributor

Re: TCP/IP Sequence Number Analysis - One Year Later

Hello Mark,

Not installed
Chris Wilshaw
Honored Contributor

Re: TCP/IP Sequence Number Analysis - One Year Later

Another no for the list.
Paula J Frazer-Campbell
Honored Contributor

Re: TCP/IP Sequence Number Analysis - One Year Later

Hi Mark

Another NO

Paula
If you can spell SysAdmin then you is one - anon
Stefan Farrelly
Honored Contributor

Re: TCP/IP Sequence Number Analysis - One Year Later


Yes, we have 26771 installed on almost all our servers.

I am a little surprised others arent using it - its a patch listed by the HP Security patch check tool (B6834AA) as needing to be installed to fix a possible security hole and as a result we installed it weeks ago when we were notified to install it. Is nobody else running this very handy and in my opion, essential, security check tool ??

Im from Palmerston North, New Zealand, but somehow ended up in London...
Dave Unverhau_1
Honored Contributor
Solution

Re: TCP/IP Sequence Number Analysis - One Year Later

Hi all,

I had done some research on PHNE_26771 in response to a previous posting and I discovered the following, which you might find useful:

============================================
The RFC 1948 is now implemented for computing TCP ISN values. By default, the support for RFC 1948 is turned off. It can be turned on by using the ndd variable, tcp_isn_passphrase . The secret passphrase can be of any length, but only the first 32 characters will be retained.

The passphrase, once set, should not be changed, except possibly at reboot.

For example:
ndd -set /dev/tcp tcp_isn_passphrase "rfc 1948" will turn on the support for RFC 1948.
============================================

This info is buried deep in the patch text, but it can be easily missed. I've requested modification of the CERT advisory, since it (incorrectly) states that RFC 1948 support is enabled by default, but I have seen no change to date.

So, until you enable RFC 1948 support, your ISN randomization will be no different than without the patch.

I hope this helps!

Regards,

Dave
Romans 8:28