Re: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability"

To: Amit Klein <amit.klein@xxxxxxxxxxxx>
Subject: Re: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability"
From: Tim Newsham <newsham@xxxxxxxx>
Date: Wed, 6 Feb 2008 07:48:10 -1000 (HST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <47A9DA84.9050909@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <47A9DA84.9050909@xxxxxxxxxxxx>

Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
which gives way to O/S fingerprinting, idle-scanning, host alias
detection, traffic analysis, and in some cases, even to TCP blind
data injection.


Can you expound upon the blind TCP injection allowed by IP ID
prediction?

Amit Klein
CTO Trusteer


Tim Newsham
http://www.thenewsh.com/~newsham/

References:
- A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability"
  - From: Amit Klein

Prev by Date: [security bulletin] HPSBGN02310 SSRT080007 rev.1 - HP Virtual Rooms Running on Windows, Remote Execution of Arbitrary Code
Next by Date: rPSA-2008-0043-1 icu
Previous by thread: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability"
Next by thread: Update+Errata: Re: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability"
Index(es):
- Date
- Thread