HPE Community
Operating System - HP-UX
1830220 Members
2310 Online
109999 Solutions
New Discussion

TCP/IP Sequence Number Analysis - One Year Later

 
SOLVED
Go to solution
Mark Greene_1
Honored Contributor

‎09-11-2002 09:02 AM

‎09-11-2002 09:02 AM

TCP/IP Sequence Number Analysis - One Year Later

A study was done a year ago to graphically map the initial TCP/IP sequence numbers used by various OS's to show randomness and to predict the probablity of being able to do tcp spoofing. The study has been done again to reflect updates and fixes based on a CERT notification and a new RFC for generating TCP ISN's:

http://lcamtuf.coredump.cx/newtcp/

According to the study, HP actually got a little worse with their fix.

How many people here have the patch (PHNE_26771) installed, and how many do not?

--
Mark
the future will be a lot like now, only later
0 Kudos
Reply
7 REPLIES 7
Pete Randall
Outstanding Contributor

‎09-11-2002 09:11 AM

‎09-11-2002 09:11 AM

Re: TCP/IP Sequence Number Analysis - One Year Later

Mark,

I don't have it.

Pete

Pete
Reply
Sean OB_1
Honored Contributor

‎09-11-2002 11:03 AM

‎09-11-2002 11:03 AM

Re: TCP/IP Sequence Number Analysis - One Year Later

Not installed here.
Reply
Vicente Sanchez_3
Respected Contributor

‎09-12-2002 03:53 AM

‎09-12-2002 03:53 AM

Re: TCP/IP Sequence Number Analysis - One Year Later

Hello Mark,

Not installed
Reply
Chris Wilshaw
Honored Contributor

‎09-12-2002 04:01 AM

‎09-12-2002 04:01 AM

Re: TCP/IP Sequence Number Analysis - One Year Later

Another no for the list.
Reply
Paula J Frazer-Campbell
Honored Contributor

‎09-12-2002 04:30 AM

‎09-12-2002 04:30 AM

Re: TCP/IP Sequence Number Analysis - One Year Later

Hi Mark

Another NO

Paula
If you can spell SysAdmin then you is one - anon
Reply
Stefan Farrelly
Honored Contributor

‎09-12-2002 04:47 AM

‎09-12-2002 04:47 AM

Re: TCP/IP Sequence Number Analysis - One Year Later


Yes, we have 26771 installed on almost all our servers.

I am a little surprised others arent using it - its a patch listed by the HP Security patch check tool (B6834AA) as needing to be installed to fix a possible security hole and as a result we installed it weeks ago when we were notified to install it. Is nobody else running this very handy and in my opion, essential, security check tool ??

Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Dave Unverhau_1
Honored Contributor

‎09-12-2002 07:56 PM

‎09-12-2002 07:56 PM

Solution

Re: TCP/IP Sequence Number Analysis - One Year Later

Hi all,

I had done some research on PHNE_26771 in response to a previous posting and I discovered the following, which you might find useful:

============================================
The RFC 1948 is now implemented for computing TCP ISN values. By default, the support for RFC 1948 is turned off. It can be turned on by using the ndd variable, tcp_isn_passphrase . The secret passphrase can be of any length, but only the first 32 characters will be retained.

The passphrase, once set, should not be changed, except possibly at reboot.

For example:
ndd -set /dev/tcp tcp_isn_passphrase "rfc 1948" will turn on the support for RFC 1948.
============================================

This info is buried deep in the patch text, but it can be easily missed. I've requested modification of the CERT advisory, since it (incorrectly) states that RFC 1948 support is enabled by default, but I have seen no change to date.

So, until you enable RFC 1948 support, your ISN randomization will be no different than without the patch.

I hope this helps!

Regards,

Dave
Romans 8:28
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.