drwxr-xr-x 15 4.0K Jan 24  2016 ..
-rw-r--r--  1  23K Mar 12  2013 tcpisn_cisco-ios-v124.gif
-rw-r--r--  1  23K Mar 12  2013 tcpisn_huawei-vrp.gif
-rw-r--r--  1  23K Mar 12  2013 tcpisn_juniper-junos-v95.gif
-rw-r--r--  1 3.5K Mar 12  2013 tcpisn_linux-v26x_md4.gif
-rw-r--r--  1  23K Mar 12  2013 tcpisn_linux-v35x_md5.gif
-rw-r--r--  1 3.6K Mar 12  2013 tcpisn_mikrotik-routeros-v4x.gif
-rw-r--r--  1  14K Mar 12  2013 tcpisn_site_apple.gif
-rw-r--r--  1  15K Mar 12  2013 tcpisn_site_microsoft.gif
-rw-r--r--  1  14K Mar 12  2013 tcpisn_site_myspace.gif
-rw-r--r--  1  21K Mar 12  2013 tcpisn_site_twitter.gif
-rw-r--r--  1 9.6K Mar 12  2013 tcpisn_site_yahoo.gif
-rw-r--r--  1 2.9K Mar 12  2013 tcpisn_tool.tar.gz
-rw-r--r--  1 3.4K Mar 12  2013 tcpisn_vxworks-v5x.gif
-rw-r--r--  1  23K Mar 12  2013 tcpisn_windows-server2012.gif

Overview
-------------------------------------------------------------------------------
Attacks against TCP initial sequence number (ISN) generation have been
discussed for quite long time. The reality of such attacks led to the
widespread use of pseudo-random number generators (PRNG) to introduce some 
randomness when producing ISNs used in TCP connections. It has long been
recognized that the ability to know or predict ISNs can lead to manipulation,
resetting or spoofing of TCP connections.



Analysis in 2D phase space
-------------------------------------------------------------------------------
It is useless to analyze the sequence number itself. The random part is just
the increment. Morover, some weaknes isn't just about correlation between
previous and successive increments, but about increments that don't show
a good distribution. So the idea is to display ISN distribution in 2D space.
It is much simpler to evaluate specific PRNG implementation by just looking
at the picture. TCP sequence numbers are one-dimensional data set. To generate
2-dimensional representation and therefore to reconstruct missing dimension,
previous values were used as additional coordinates.



Tools used
-------------------------------------------------------------------------------
Actually, everything is based on hping3 - a powerful packet generator and
analyzer, which have Tcl scripting features. Simple Tcl/Tk script generates TCP
datagrams with SYN flag set and receives answers from a distant host. Extracted
TCP sequnce numbers are used to generate 2-dimensional TCP ISN distribution
visualisation in real time.



Example #1 - vxWorks 5.x (aka 64k)
-------------------------------------------------------------------------------


This is a perfect example of how PRNGs should not be implemented. Practically
speaking, this system has NO random sequence numbers at all. It has constant
increases of 64,000 instead. As a result we can see one-point representation.
This is not an isolated case. As a matter of fact, many of the network devices
like small home routers, VoIP, printers and so on have completely predictable
sequnce numbers.



Example #2 - JunOS 9.5
-------------------------------------------------------------------------------


JunOS operating system is primarly based on the FreeBSD kernel, the advantage
of which is very good PRNG implementation. It provides a clean, 32-bit
randomness. Most of modern operating systems can boast with a similar result.



Example #3 - Linux
------------------------------------------------------------------------------
Since 3.1 kernel version, MD5 has replaced half-MD4 as hash function in PRNG.
Results are clearly visible. Using MD5 was proposed in RFC 6528 along with
ISN generation algorithm.



 



References
-------------------------------------------------------------------------------
http://lcamtuf.coredump.cx/oldtcp/
Strange Attractors and TCP/IP Sequence Number Analysis

http://wiki.hping.org/94
Introduction to hping3 scripting

http://www.ietf.org/rfc/rfc6528.txt
Defending Against Sequence Number Attacks