Hi
I think you misunderstood me.
1. I'm worried about hackers like all other people in the world.
2. Described software not of such type, because it is not really opens TCP
connection tube.
a) TCP on machine that running software is not aware about sent SYN
frames,
therefore any attack related on my sequence number will have
same effect
as any other attack with random sequence number.
b) TCP on target machine, is in SYN/RECVD state, i.e. also useless,
relative to my software,
for attacker, It can easy put it to same state.
actually a thing that I did for it, sent SYN packet, that
any kid can construct with any IP
address and any seq number.
Any way thank you for notice.
Toly
-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 09, 2001 11:36 PM
To: [EMAIL PROTECTED]
Subject: RE: TCP seq changed when cross Cisco PIX 525 [7:18764]
At 09:30 AM 9/9/01, Anatoly Shein wrote:
>Hi
>I'm not worried about hackers, the sending probe machine is not configured
>to
You're different from the rest of the world then.
>receive any packet of this port. Actually probe is not sent via TCP stack,
>but using raw socket
>Therefore any hackers attempt to sent me packet will be answered with RST
>frame.
Not if you're under attach and are unable to send a RST.
>Also I don't see any disadvantages of seq=1, it is easy to guess what is
the
>next seq number
Well, the rest of the world, especially security experts, see a
disadvantage with seq = 1.
>also if you start from 342353122, for example.
>seq can be easy computed as seq next = seq + len + ( ( SYN | FIN ) & flags
)
>? 1 : 0;
>Am I wrong ?
The problem occurs where the hacker doesn't actually see the first frame
and has no idea what the sequence number is but is still able to send a
reply that looks legitimate.
It's documented in most security explanations. Do some research. Check
descriptions of IP spoofing. I did a search on Google and immediately found
this article that looks pretty good:
http://www.fc.net/phrack/files/p48/p48-14.html
Priscilla
>toly
>-----Original Message-----
>From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
>Sent: Friday, September 07, 2001 6:49 AM
>To: [EMAIL PROTECTED]
>Subject: Re: TCP seq changed when cross Cisco PIX 525 [7:18764]
>
>
>Always starting with TCP sequence number 1 is a bad thing. It makes it easy
>for a hacker to guess what the sequence number is and insert himself into a
>connection establishment.
>
>So PIX and other firewalls let you randomize the starting sequence number
>for TCP implementations that don't already do this.
>
>Priscilla
>
>At 02:48 AM 9/6/01, Anatoly Shein wrote:
> >Hi
> >I was encountered with strange situation.
> >Probably one of your can help/heard about something alike.
> >
> >Problem description:
> >There is sun machine connected to pair of Cisco PIX 525
> >On sun there is software sent TCP SYN probe packets
> >with sequence number starts from 1 and increments for each packet.
> >packets sent 1 for 50 mili seconds
> >When packet cross router the sequence number is changed.
> >This change is consistent for one set of packets but is not
> >for subsequent set of packets
> >
> >for example :
> >before cisco after cisco
> >1. TCP syn seq = 1 seq = 1 + x
> >2. TCP syn seq = 2 seq = 2 + x
> >3. TCP syn seq = 3 seq = 3 + x
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>________________________
>
>Priscilla Oppenheimer
>http://www.priscilla.com
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19248&t=18764
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
