Browse Prior Art Database

Defending Against Sequence Number Attacks (RFC1948)

IP.com Disclosure Number: IPCOM000004177D
Original Publication Date: 1996-May-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 5 page(s) / 12K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

S. Bellovin: AUTHOR

Abstract

IP spoofing attacks based on sequence number spoofing have become a serious threat on the Internet (CERT Advisory CA-95:01). While ubiquitous crypgraphic authentication is the right answer, we propose a simple modification to TCP implementations that should be a very substantial block to the current wave of attacks.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 24% of the total text.

Network Working Group S. Bellovin

Request for Comments: 1948 AT&T Research

Category: Informational May 1996

Defending Against Sequence Number Attacks

Status of This Memo

This memo provides information for the Internet community. This memo

does not specify an Internet standard of any kind. Distribution of

this memo is unlimited.

Abstract

IP spoofing attacks based on sequence number spoofing have become a

serious threat on the Internet (CERT Advisory CA-95:01). While

ubiquitous crypgraphic authentication is the right answer, we propose

a simple modification to TCP implementations that should be a very

substantial block to the current wave of attacks.

Overview and Rational

In 1985, Morris [1] described a form of attack based on guessing what

sequence numbers TCP [2] will use for new connections. Briefly, the

attacker gags a host trusted by the target, impersonates the IP

address of the trusted host when talking to the target, and completes

the 3-way handshake based on its guess at the next initial sequence

number to be used. An ordinary connection to the target is used to

gather sequence number state information. This entire sequence,

coupled with address-based authentication, allows the attacker to

execute commands on the target host.

Clearly, the proper solution is cryptographic authentication [3,4].

But it will quite a long time before that is deployed. It has

therefore been necessary for many sites to restrict use of protocols

that rely on address-based authentication, such as rlogin and rsh.

Unfortunately, the prevalence of "sniffer attacks" -- network

eavesdropping (CERT Advisory CA-94:01) -- has rendered ordinary

TELNET [5] very dangerous as well. The Internet is thus left without

a safe, secure mechanism for remote login.

We propose a simple change to TCP implementations that will block

most sequence number guessing attacks. More precisely, such attacks

will remain possible if and only if the Bad Guy already has the

ability to launch even more devastating attacks.

Details of the Attack

In order to understand the particular case of sequence number

guessing, one must look at the 3-way handshake used in the TCP open

sequence [2]. Suppose client machine A wants to talk to rsh server

B. It sends the following message:

A->B: SYN, ISNa

That is, it sends a packet with the SYN ("synchronize sequence

number") bit set and an initial sequence number ISNa.

B replies with

B->A: SYN, ISNb, ACK(ISNa)

In addition to sending its own initial sequence number, it

acknowledges A's. Note that the actual numeric value ISNa must

appear in the message.

A concludes the handshake by sending

A->B: ACK(ISNb)

The initial sequence numbers are intended to be more or less random.

More precisely, RFC 793 specifies that the 32-bit count...