[Dshield] Hiding IP's

Brian Dessent brian at dessent.net
Mon Aug 22 06:58:59 GMT 2005

Valdis.Kletnieks at vt.edu wrote:

> Actually, Michal Zalewski discovered that even after RFC1948 was written,
> and most vendors had purportedly implemented some variant of it, things
> were a lot worse than you might hope:
> http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm
> And a year later, things hadn't universally improved:
> http://lcamtuf.coredump.cx/newtcp/
> A 12% success rate against the version of Windows XP he tested certainly
> seems to be well within "easy or trivial" - I admit not knowing whether SP1
> or SP2 improved things....

You're right of course, and I did read both of those papers when they
were released.  I do know that MS issued a patch that backported their
win2k ISN generator to NT 4.0, and then wiped their hands and called it
a day.  According to their literature win2k and beyond do not suffer
from any ISN vulnerabilities so I suppose MS doesn't feel it's worth
improving.  I guess I must have glossed over the conclusion in the "one
year later" followup that it was still not sufficient.

I skipped the statistical details of the Zalewski papers so I don't know
what the 12% actually means precisely in real terms.  I'm not sure I
would call it trivial, because it seems like you still have to exhaust a
lot of bandwidth in order to guess correctly.

In the context of hiding ones presence on the net for general use
patterns, it still doesn't really chance the picture since

- the spoofer gets a unidirectional write-only connection since he does
not receive any response packets.

- linux and the bsds still have the majority of the server OS market,
and their IP stacks implemented 1948.


More information about the list mailing list