TCP Sequence Prediction: Class=64K rule Difficulty=1 (Trivial joke)
From: The Hurdy Gurdy Man [email@example.com] Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable???? Newsgroups: comp.sys.sgi.admin References: [l.cranswick.471.0648D177@dl.ac.uk] Date: Fri, 14 Apr 2000 04:20:21 GMT Organization: EarthLink Inc. -- http://www.EarthLink.net Xref: daresbury comp.sys.sgi.admin:90511 Lachlan Cranswick
Date: Mon, 17 Apr 2000 18:54:41 GMT Newsgroups: comp.sys.sgi.admin From: Mike O'Connor [firstname.lastname@example.org] Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable???? Reply-To: Mike O'Connor [email@example.com] Organization: Sonic Death Monkey In article [A0JK4.firstname.lastname@example.org], Remove NO_SPAM to reply [mNeOn_sScPhAeMr@uiuc.edu] wrote: :> Use systune to change the kernel tunable parameter "tcpiss_md5" to 1. As :> far as a web page talking about it goes, I'm sure there's some :> documentation someplace on techpubs.sgi.com, but personally I find it :> easier just to read through the comments in the files stored in :> /var/sysgen/mtune until I find one that does what I want. Check through :> systune documentation; also, the "IRIX Admin: System Configuration and :> Operation" online book (which should also be on techpubs) has lots of good :> info too. : :What are the performance impacts of doing this? Based on my :understanding of TCP and sequence numbers, it seems the MD5 would :only be done once per connection, so the performance hit shouldn't :be too bad. Can anyone verify this with experimental results? My limited testing with this way back when showed no perceivable difference in performance. But performance in some corner case is probably the reason why some vendors have this as a system tunable off by default. -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: email@example.com Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481
Sender: Damian Menscher [firstname.lastname@example.org] From: mNeOn_sScPhAeMr@uiuc.edu (Remove NO_SPAM to reply) Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable???? Newsgroups: comp.sys.sgi.admin Date: Tue, 18 Apr 2000 23:18:18 GMT Organization: University of Illinois at Urbana-Champaign Lachlan Cranswick [email@example.com] wrote: > Following is a scan on my SGI O2 webserver running > IRIX 6.5.7 with the latest nmap > http://www.insecure.org/nmap/index.html > (using the -O option to try and detect the operating system) > Main question: with IRIX 6.5.7 - is there a webpage - description > for making the TCP Sequence Prediction > TCP Sequence Prediction: Class=64K rule > Difficulty=1 (Trivial joke) > No OS matches for host (If you know what OS is running on it, see http://www.ins > ecure.org/cgi-bin/nmap-submit.cgi). > TCP/IP fingerprint: > TSeq(Class=64K) > TSeq(Class=RI%gcd=80%SI=C8) > TSeq(Class=64K) > T1(Resp=Y%DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM) > T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) > T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT) > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) > T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) > PU(Resp=N) I've noticed that the difficulty level (and even the class!) changes during multiple runs of nmap. I've been experimenting with this a bit, and tried to get more stable results by basing the prediction on a longer sequence of numbers (ie, 100 instead of 6). I also got it to print out the differences between subsequent numbers. I found some interesting results: The offset is almost always a 64K rule, but an also be an 800 rule or any of various other possible rules, including time dependant or (once) truly random. I think I'm finally starting to understand what SGI meant in the file /var/sysgen/mtune/bsd: * RFC1948: security fix for TCP source address spoofing by * randomizing the low order bits of ISS (Initial Sequence number) * using MD5 * 1 = use combination of MD5 and (nanotime, source/dst IP address/port * values and some dynamically changing virtual addresses) to * randomize ISS * 0 = use just the nanotime and some dynamically changing virtual address * values to randomize ISS. This is the default and by itself is * quite safe from source address spoofing. The "dynamically changing virtual address values" (whatever _those_ are) must be changing on a time scale that's a bit longer than that of the nmap scan. So when nmap takes 6 sequence numbers they usually differ only by the nanotime part of the rule. But when you try to take more numbers then the "dynamically changing" part bites you. Which makes me wonder if SGI is really as silly as I had initially thought. Perhaps predicting their sequence isn't a "Trivial joke" after all? In the end, I'll probably still switch to using MD5. Even though there is more randomness in the default option than nmap gives it credit for, I would assume that randomness on such a long time-scale isn't really useful. Comments? Damian Menscher -- --==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==-- --==## [firstname.lastname@example.org] www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
Date: Wed, 19 Apr 2000 01:20:05 GMT Newsgroups: comp.sys.sgi.admin From: Mike O'Connor [email@example.com] Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable???? Organization: Sonic Death Monkey You'll find that it's platform-specific... you'll almost never get nmap to show "trivial" sequence # prediction using an SGI that's suitably fast, like an R10k something-or-other. -- Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: firstname.lastname@example.org Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481
As root run systune -i
tcpiss_md5 = 1
Now check with nmap security scanner:
computer_name 103# nmap -sS -O computer_name
The following does not seem to work? Thus write the above systune option which does not require a reboot to activate!Change directory to the /var/system/mtune directory:
Make the bsd file writable.
chmod +w bsd
Edit the bsd file.
Search for the term tcpiss_md5
This gives the following section (description on top may be missing):
Set default and minimum to 1 to maximize randomizing of the source address.
Make the bsd file non-writable again.
chmod -w bsd
Run /etc/autoconfig to configure the kernel prior to rebooting (saves on down time during the reboot)
Run /etc/init 6 to reboot the machine.
Hopefully this will work and make you happy. If not, reset the above /var/sysgen/mtune/bsd config and autoconfig and reboot back to the previous kernel (there are other methods to get back to a previous kernel).