To be honest I was not assuming on or off a shared network for this
scenario, I just hadn't considered it one way or the other.

Shared and unshared mean less and less anyways... with semi-automated
tools like Caine and Abel, and my favorite Dsniff (quick plug for it
"dsniff is a collection of tools for network auditing and
penetration testing" that automates MITM attacks, shows the
ineffectiveness of depending on switches (vs hubs) for security,
and more)

But in any case, blind attacks (attacks that take place on the internet
vs. a wan, man, lan, etc.) would still be the majority of the cases,
wouldn't they? A good IDS will find a local MITM attack such as
the ones we are discussing, unless it is also blind (iow they don't
do any arp poisoning/mac spoofing). Then, yes we would be left
depending on the random # generation of the OS and the lack of
brute force of the hacker.

RFC1948, which most OSes seem to ignore, would make it much much
more difficult even with only mediocre randomness. It advocates
one-way MD5 hashes....

The seminal paper on this would probably be "Strange Attractors
and TCP/IP Sequence Number Analysis", the update to which is

This is good reading--it compares many OSes randomness with
respect to tcp sequence numbers, posits the brute force
necessary to hack them, and does so in a very readible

One crucial part of it is "Current Risks of tcp/ip spoofing"


-----Original Message-----
[]On Behalf Of Paul
D. Robertson
Sent: Thursday, November 29, 2007 11:40 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewalls that generate new packets..

On Thu, 29 Nov 2007, Darden, Patrick S. wrote:

> >You're assuming a blind attack, a very dangerous assumption. Even with a
> >blind attack, you're assuming that (a) the attacker's prediction efforts
> >are stymied by hard-to-predict sequence numbers and (b) the attacker
> >(or defender) lacking enough bandwidth to brute force the sequence number
> >or the likey sequence number space.

> I am not assuming a blind attack. I was positing an example situation
> that highlighted the importance of TCP sequence numbers. Please do not
> put words in my mouth.

But the predictability of ISNs are only important in blind attacks- if the
attacker can sniff the ISNs, then the sequence numbers have no
value to a connection under attack as far as I can tell. So if your
scenario doesn't assume a blind attack what am I missing?

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."

firewall-wizards mailing list
firewall-wizards mailing list