Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) _very_ poor ISN generation on Ascend MAX
On Sat, 11 Oct 1997, Marc Slemko wrote:
> The below test was done against a MAX running 5.0Ai13. I do not know
> if the latest p releases (or the TNT software) has the same problems;
> it is quite easy to test. If anyone running the latest p release
> or a TNT is willing and has a box that accepts telnet (or finger,
> which works even if finger is turned off on the box, etc.) connections
> give me an IP and I can try. No passwords needed.
Steven Bellovin reminded me of RFC-1948 which briefly describes
the problems with being able to predict sequence numbers and one
possible fix.
http://main.succeed.net/~coder/spoofit/spoofit.html talks about
blind spoofing and how it is done, including source. The sequence
number guessing required against a MAX is even easier than the
_simplest_ case talked about there. Oh well, at least it isn't as
bad as Livingston who, at least in older ComOS releases (don't know
about new ones) _always_ uses an ISN of 127. I would say that I
wouldn't be suprised to see something worse except for the fact
that you can't get worse than that.
As I mentioned before, this is certainly less problematic than it
could be, since most environments don't involve large numbers of
TCP connections to or from your terminal servers, but there is still
potential risk. Do you ever telnet from the termserv prompt on
your MAX to another host? This problem makes it possible, in
theory, for someone to inject arbitrary commands into your telnet
connection. This has a reasonable chance of actually working in
practice assuming the attacker can gain a few bits of information
about the timing of various things.
Oh, and so far the response from Ascend to my trouble report was
along the lines of "I don't understand."
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
References: