Hello, This first part is sort of relevant to bugtraq (If you're not interested, skip down to the ObBug and the part below it) :-) I have written an implementation of the TCP sequence number prediction (as allegedly used by Mitnick and described by Bellovin and Morris). Works pretty well too.. :-) So, the question is: Is there any value in posting the source? Presumably people can find themselves a description of how it works, but posting running source may give more insight into the problem and spur the slower vendors into fixing it, or at least notifying their customers how to fix it themselves. Okay, okay: ObBug: Given an open TCP connection between host A and B with Sequence numbers Seq(A) and Seq(B). Host W (the intruder), injects a spoofed packet to B with using the proper Seq(A) (obtained any number of ways). Assume the following scenario: A -> B: Seq(A), 7 bytes of data B -> A: Seq(B), ACK Seq(A)+7 W -> B: Seq(A)+7, 10 bytes of data B -> A: Seq(B), ACK Seq(A)+17 A -> B: Seq(A)+7, ACK Seq(B) B -> A: Seq(B), ACK Seq(A)+17 ... The last two steps are repeated forever. The problem is host A receives an ACK for data it never sent. Instead of complaining, it resends it's sequence number to B along with the ACK where it expects B's sequence number to be. B, on the other hand, assumes A is retransmitting old data--it's already receieved through Seq(A)+7. So, it simply ACKs receipt of the old data and notifies A of its current position in the stream Seq(A)+17. The result is an ACK war. Neither side is content with the other's response, so they re-ACK in an attempt to reposition the data stream. Neither side can win, so the network is completely hosed until A or B terminates the connection. (To both A and B it looks like the network is just slow, so they aren't likely to quit for a while). -Mike -- Mike Neuman (mcn@EnGarde.com) - EN GARDE SYSTEMS - Computer Security Consulting http://www.c3.lanl.gov/~mcn - http://www.cec.wustl.edu/~dmm2/egs/egs.htm =============================================================================== "Most of these should be 'void', but the people who defined the STREAMS data structures for S[ystem] 5 didn't understand data types." - Solaris source