Randomizing tcp initial sequence numbers, and IP id field

Home Forums Discussions Support Portal Randomizing tcp initial sequence numbers, and IP id field

This topic contains 2 replies, has 2 voices, and was last updated by  Wyatt 13 years, 3 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #4868

    Wyatt
    Participant

    Ok. Who has worked with increasing the randomization of the tcp initial sequence numbers? or worked with randomizing the IP identification field?
    Background: TCP initial sequence numbers are somewhat randomized by most operating systems to help prevent session hijacking. Unfortunately, the randomization is not incredibly strong in most cases, and also they generally increment in a positive manner. As for the IP identification field, the common practice is to implement it as a counter, though that is not defined by any RFC. Making it a counter allows outside users to determine approximately how many computers are on your internal network and which ones are currently active. It is better if that number is randomized. You want to have a unique number in the field because it is used possilbly later for rebuilding fragmented packets. I suspect that anyone that is good at building NAT applications would be close to being able to randomizing these fields. Unfortunately, though I am a network engineer, I have never written anything close to a NAT application. Point me in the right direction please.

    #5612

    krisleech
    Participant

    not worked with ‘random’ seq field but i have heard about the use of strange atractors – they are part of choas theory and show patterns in disorder or order in disorder. A graph showing the strange attractor shows a line that follows a pattern but never repeats the same path twice and leeps from negative to posative at ‘random’ intervals. Could be useful.

    Kris,

    #5613

    Wyatt
    Participant

    Thanks krisleech, the randomization you are talking about is a little further than even I was looking for. We just want to randomize the initial sequence numbers, not all the sequence numbers. Let me give you some stats from our research to show you what we a looking for. The following is 2 lists of initial sequence numbers seen by a target destination. The first is a list of ISNs (initial sequence numbers) seen from a normal Microsoft windows 2000 host directly connected. Note there is some randomizaiton. The second is with a PIX 525 inline between the source (2 windows 2000 hosts) and the destination (the same target host). The PIX greatly improved the randomization of the ISNs. These should highlight the differences and level of randomization we would like to see:
    1.BASELINE (no firewall involved, just Microsoft’s native randomizing)
    3821792392
    3822536869
    3823369052
    -1min pause
    3834763729
    3835673715
    3836565869
    -1min pause
    3848653605
    3849412963
    3850277338
    -1min pause
    3862514801 suspicious
    3863329333
    3863993408
    -1min pause
    3876307621
    3877050874
    3877880730
    15. PIX firewall – future reference ethereal capture c:temppix2.txt

    FIREWALL INSIDE INTERFACE SAW: 245852646 (from comp1)
    246488339 (from comp1)
    247409802 (from comp1)
    247997942 (from comp1)
    248683549 (from comp1)
    3005282343(from comp2)
    3005947206(from comp2)
    3006637540(from comp2)
    3007270429(from comp2)
    3007936591(from comp2)
    DESTINATION SAW the following ISNs in order, for the above packets:
    497976609
    698736491
    1144843323
    1753896461
    2045921313
    85892628
    3876006248
    3622132887
    489476749
    174402616
    – no comparison right? The PIX, in it’s state table, runs its own list of sequence numbers which allows it to greatly improve randomization. That is what we are looking for using Winpkfilter. Well that, and the randomization of the IP id field, which is simple compared to ISNs.

    Does anyone have a copy of a program in which they have manipulated tcp/ip fields that works, that we could get a copy of? Thank you.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.