From: The Hurdy Gurdy Man [bryan@tep12.ucsd.edu]
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Newsgroups: comp.sys.sgi.admin
References: [l.cranswick.471.0648D177@dl.ac.uk]
Date: Fri, 14 Apr 2000 04:20:21 GMT
Organization: EarthLink Inc. -- http://www.EarthLink.net
Xref: daresbury comp.sys.sgi.admin:90511
Lachlan Cranswick wrote:
> Main question: with IRIX 6.5.7 - is there a webpage - description
> for making the TCP Sequence Prediction less predictable?
>
> TCP Sequence Prediction: Class=64K rule
> Difficulty=1 (Trivial joke)
Use systune to change the kernel tunable parameter "tcpiss_md5" to 1. As
far as a web page talking about it goes, I'm sure there's some
documentation someplace on techpubs.sgi.com, but personally I find it
easier just to read through the comments in the files stored in
/var/sysgen/mtune until I find one that does what I want. Check through
systune documentation; also, the "IRIX Admin: System Configuration and
Operation" online book (which should also be on techpubs) has lots of good
info too.
Bryan
Date: Mon, 17 Apr 2000 18:54:41 GMT
Newsgroups: comp.sys.sgi.admin
From: Mike O'Connor [mjo@dojo.mi.org]
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Reply-To: Mike O'Connor [mjo@dojo.mi.org]
Organization: Sonic Death Monkey
In article [A0JK4.9109$nb2.196407@vixen.cso.uiuc.edu],
Remove NO_SPAM to reply [mNeOn_sScPhAeMr@uiuc.edu] wrote:
:> Use systune to change the kernel tunable parameter "tcpiss_md5" to 1. As
:> far as a web page talking about it goes, I'm sure there's some
:> documentation someplace on techpubs.sgi.com, but personally I find it
:> easier just to read through the comments in the files stored in
:> /var/sysgen/mtune until I find one that does what I want. Check through
:> systune documentation; also, the "IRIX Admin: System Configuration and
:> Operation" online book (which should also be on techpubs) has lots of good
:> info too.
:
:What are the performance impacts of doing this? Based on my
:understanding of TCP and sequence numbers, it seems the MD5 would
:only be done once per connection, so the performance hit shouldn't
:be too bad. Can anyone verify this with experimental results?
My limited testing with this way back when showed no perceivable
difference in performance. But performance in some corner case
is probably the reason why some vendors have this as a system
tunable off by default.
--
Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org
Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481
Sender: Damian Menscher [menscher@intellx1.physics.uiuc.edu]
From: mNeOn_sScPhAeMr@uiuc.edu (Remove NO_SPAM to reply)
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Newsgroups: comp.sys.sgi.admin
Date: Tue, 18 Apr 2000 23:18:18 GMT
Organization: University of Illinois at Urbana-Champaign
Lachlan Cranswick [l.cranswick@dl.ac.uk] wrote:
> Following is a scan on my SGI O2 webserver running
> IRIX 6.5.7 with the latest nmap
> http://www.insecure.org/nmap/index.html
> (using the -O option to try and detect the operating system)
> Main question: with IRIX 6.5.7 - is there a webpage - description
> for making the TCP Sequence Prediction
> TCP Sequence Prediction: Class=64K rule
> Difficulty=1 (Trivial joke)
> No OS matches for host (If you know what OS is running on it, see http://www.ins
> ecure.org/cgi-bin/nmap-submit.cgi).
> TCP/IP fingerprint:
> TSeq(Class=64K)
> TSeq(Class=RI%gcd=80%SI=C8)
> TSeq(Class=64K)
> T1(Resp=Y%DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM)
> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT)
> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> PU(Resp=N)
I've noticed that the difficulty level (and even the class!) changes
during multiple runs of nmap. I've been experimenting with this a
bit, and tried to get more stable results by basing the prediction on
a longer sequence of numbers (ie, 100 instead of 6). I also got it
to print out the differences between subsequent numbers. I found some
interesting results:
The offset is almost always a 64K rule, but an also be an 800 rule or
any of various other possible rules, including time dependant or (once)
truly random. I think I'm finally starting to understand what SGI
meant in the file /var/sysgen/mtune/bsd:
* RFC1948: security fix for TCP source address spoofing by
* randomizing the low order bits of ISS (Initial Sequence number)
* using MD5
* 1 = use combination of MD5 and (nanotime, source/dst IP address/port
* values and some dynamically changing virtual addresses) to
* randomize ISS
* 0 = use just the nanotime and some dynamically changing virtual address
* values to randomize ISS. This is the default and by itself is
* quite safe from source address spoofing.
The "dynamically changing virtual address values" (whatever _those_
are) must be changing on a time scale that's a bit longer than that of
the nmap scan. So when nmap takes 6 sequence numbers they usually
differ only by the nanotime part of the rule. But when you try to take
more numbers then the "dynamically changing" part bites you.
Which makes me wonder if SGI is really as silly as I had initially
thought. Perhaps predicting their sequence isn't a "Trivial joke"
after all?
In the end, I'll probably still switch to using MD5. Even though there
is more randomness in the default option than nmap gives it credit for,
I would assume that randomness on such a long time-scale isn't really
useful.
Comments?
Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## [menscher@uiuc.edu] www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
Date: Wed, 19 Apr 2000 01:20:05 GMT
Newsgroups: comp.sys.sgi.admin
From: Mike O'Connor [mjo@dojo.mi.org]
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Organization: Sonic Death Monkey
You'll find that it's platform-specific... you'll almost never get
nmap to show "trivial" sequence # prediction using an SGI that's
suitably fast, like an R10k something-or-other.
--
Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org
Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481