HPE Community
Operating System - HP-UX
1820259 Members
2950 Online
109622 Solutions
New Discussion юеВ

TCP Sequence prediction

 
SOLVED
Go to solution
David Connolly
Regular Advisor

тАО01-10-2003 07:58 AM

тАО01-10-2003 07:58 AM

TCP Sequence prediction

High,

What patches do I need to stop the TCP sequence on my servers being predictable? This is a security vulnerability. I tried a search, but I can't find the exact patch the fixes the issue.

Thanks in advance.
0 Kudos
Reply
5 REPLIES 5
James R. Ferguson
Acclaimed Contributor

тАО01-10-2003 08:05 AM

тАО01-10-2003 08:05 AM

Solution

Re: TCP Sequence prediction

Hi:

For 11.0, see PHNE_21767. For 11.11, see PHNE_27063.

Regards!

...JRF...
Reply
John Poff
Honored Contributor

тАО01-10-2003 08:06 AM

тАО01-10-2003 08:06 AM

Re: TCP Sequence prediction

Hi,

Try looking at PHNE_26771. Here is a snippet from the patch description [fixed in patch PHNE_26445 which is superseded by PHNE_26771]:

( SR number: 8606213513 ; Defect: JAGad82705 )
Systems relying on random increments for choosing less
predictable TCP ISN values, are still vulnerable to
statistical attacks.


Also, here is a link to a great web site called "Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later ". This site analyzes the TCP/IP sequence numbers for a lot of different operating systems and plots the results as 3D plots. Great stuff!


http://lcamtuf.coredump.cx/newtcp/


JP
Reply
rick jones
Honored Contributor

тАО01-13-2003 10:55 AM

тАО01-13-2003 10:55 AM

Re: TCP Sequence prediction

TCP sequence numbers _have_ to be predictable. I suspect you mean TCP _initial_ sequence numbers - ie the sequence number that TCP uses at the beginning of a connection.

There was a recent security bulletin about RFC 1918 support in HP-UX. PHNE_26771 as mentioned by John is the 11.0 patch mentioned in that.

If you are concerned about system security, it would be a really good idea to sign-up for the security notifications:

C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to get to the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

there is no rest for the wicked yet the virtuous have no pillows
Reply
Dave Unverhau_1
Honored Contributor

тАО01-13-2003 11:13 AM

тАО01-13-2003 11:13 AM

Re: TCP Sequence prediction

Please note that, while PHNE_21767 and PHNE_27063 will increase ISN randomness, this functionality is not turned on in the patch by default. This is because (as I understand it) the increased overhead required by the computations can reduce transport efficiency, so HP included the functionality but didn't want to reduce performance for those folks who don't need the extra ISN randomness.

Here's the relevant text, cut from the patch text for PHNE_27063:

Defect Description:
The RFC 1948 ("Defending against sequence
number attacks") is not supported.

Resolution:
The RFC 1948 is now implemented for computing
TCP ISN values. By default, the support for
RFC 1948 is turned off. It can be turned on by
using the ndd variable, tcp_isn_passphrase
. The secret passphrase can be
of any length, but only the first 32 characters
will be retained. The passphrase, once set, should
not be changed, except possibly at reboot.
For example:
ndd -set /dev/tcp tcp_isn_passphrase "rfc 1948"
will turn on the support for RFC 1948.
( SR:8606213579 CR:JAGad82771 )

I have asked for this info to be added to the special instructions for these patches, but there has been no change so far...

Regards,

Dave
Romans 8:28
Reply
David Connolly
Regular Advisor

тАО01-14-2003 12:30 AM

тАО01-14-2003 12:30 AM

Re: TCP Sequence prediction

Thanks all,

That more than answers my question.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.