> The below test was done against a MAX running 5.0Ai13. I do not know > if the latest p releases (or the TNT software) has the same problems; > it is quite easy to test. If anyone running the latest p release > or a TNT is willing and has a box that accepts telnet (or finger, > which works even if finger is turned off on the box, etc.) connections > give me an IP and I can try. No passwords needed. Steven Bellovin reminded me of RFC-1948 which briefly describes the problems with being able to predict sequence numbers and one possible fix. <A HREF="http://main.succeed.net/~coder/spoofit/spoofit.html">http://main.succeed.net/~coder/spoofit/spoofit.html</A> talks about blind spoofing and how it is done, including source. The sequence number guessing required against a MAX is even easier than the _simplest_ case talked about there. Oh well, at least it isn't as bad as Livingston who, at least in older ComOS releases (don't know about new ones) _always_ uses an ISN of 127. I would say that I wouldn't be suprised to see something worse except for the fact that you can't get worse than that. As I mentioned before, this is certainly less problematic than it could be, since most environments don't involve large numbers of TCP connections to or from your terminal servers, but there is still potential risk. Do you ever telnet from the termserv prompt on your MAX to another host? This problem makes it possible, in theory, for someone to inject arbitrary commands into your telnet connection. This has a reasonable chance of actually working in practice assuming the attacker can gain a few bits of information about the timing of various things. Oh, and so far the response from Ascend to my trouble report was along the lines of "I don't understand." ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <!--X-Follow-Ups-End--> <!--X-References--> <HR> <STRONG>References</STRONG>: <UL> <LI><STRONG><A HREF="msg09645.html">(ASCEND) _very_ poor ISN generation on Ascend MAX</A></STRONG></LI> <UL> <LI><EM>From</EM>: Marc Slemko <marcs@znep.com></LI> </UL> </UL> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg09671.html">Re: (ASCEND) Re: hash codes... (loosing Wan3,4+ISDN)</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg09670.html">Re: (ASCEND) connection problems with MAX 4048</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg09645.html">(ASCEND) _very_ poor ISN generation on Ascend MAX</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg09672.html">Re: (ASCEND) _very_ poor ISN generation on Ascend MAX</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="mail14.html#09668"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd202.html#09668"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>