Dear everyone: I'm trying to improve TCP sequence number generation algorithm in Linux TCP/IP protocol stack now. According to CERT advisory, the Linux kernel has the predictable TCP initial sequence number vulnerability (http://www.cert.org/advisories/CA-2001-09.html). To solve this problem, I propose to use MD5 message digest algorithm to calculate ISN, because MD5 is recommended algorithm to calculate it in RFC1948. This algorithm may be inappropriate under the some circumstances (e.g. Gigabit Ethernet network). Some people may prefer to use current algorithm(it use a kind of MD4.). But Some people may regard the vulnerability as a serious one, so I propose it as one of the kernel options for such peoples. I experimentally adds codes to generate ISN with MD5 algorithm and I examined it with NMAP version 3.0. The result of the examination is shown in the last part of this mail. This show that MD5 algorithm can generate more preferable ISN than the vanilla linux-2.4.19. Would you merge this patch into Linux kernel? Thank you, in advance. -- Linux-2.4.19-vanila(Plain version of Linux-2.4.19) /usr/local/bin/nmap -sS -O -vv 192.168.0.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) * * * * * * * * * * Omitted * * * * * * * * * * Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 OS Fingerprint: TSeq(Class=RI%gcd=2%SI=21FD37%IPID=Z%TS=100HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 0.003 days (since Mon Nov 18 23:44:34 2002) TCP Sequence Prediction: Class=random positive increments Difficulty=2227511 (Good luck!) TCP ISN Seq. Numbers: 13532D3F 14165923 13DC905D 1348808F 1340E1ED 137C9D75 IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds -- Linux-2.4.19-vanila(Plain version of Linux-2.4.19) -- TCP ISN calcuration with MD5 algorithm for Linux-2.4.19. /usr/local/bin/nmap -sS -O -vv 192.168.0.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) * * * * * * * * * * Omitted * * * * * * * * * * Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 OS Fingerprint: TSeq(Class=RI%gcd=2%SI=21FD37%IPID=Z%TS=100HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 0.003 days (since Mon Nov 18 23:44:34 2002) TCP Sequence Prediction: Class=random positive increments Difficulty=2227511 (Good luck!) TCP ISN Seq. Numbers: 13532D3F 14165923 13DC905D 1348808F 1340E1ED 137C9D75 IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds -- TCP ISN calcuration with MD5 algorithm for Linux-2.4.19 -- --------------------------- Takeharu KATO E-mail: tk1219@alles.or.jp - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
