RFC 1948 (rfc1948) - Page 1 of 6


Defending Against Sequence Number Attacks



Alternative Format: Original Text Document

Next >


Network Working Group                                        S. Bellovin
Request for Comments: 1948                                 AT&T Research
Category: Informational                                         May 1996


               Defending Against Sequence Number Attacks

Status of This Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   IP spoofing attacks based on sequence number spoofing have become a
   serious threat on the Internet (CERT Advisory CA-95:01).  While
   ubiquitous crypgraphic authentication is the right answer, we propose
   a simple modification to TCP implementations that should be a very
   substantial block to the current wave of attacks.

Overview and Rational

   In 1985, Morris [1] described a form of attack based on guessing what
   sequence numbers TCP [2] will use for new connections.  Briefly, the
   attacker gags a host trusted by the target, impersonates the IP
   address of the trusted host when talking to the target, and completes
   the 3-way handshake based on its guess at the next initial sequence
   number to be used.  An ordinary connection to the target is used to
   gather sequence number state information.  This entire sequence,
   coupled with address-based authentication, allows the attacker to
   execute commands on the target host.

   Clearly, the proper solution is cryptographic authentication [3,4].
   But it will quite a long time before that is deployed.  It has
   therefore been necessary for many sites to restrict use of protocols
   that rely on address-based authentication, such as rlogin and rsh.
   Unfortunately, the prevalence of "sniffer attacks" -- network
   eavesdropping (CERT Advisory CA-94:01) -- has rendered ordinary
   TELNET [5] very dangerous as well.  The Internet is thus left without
   a safe, secure mechanism for remote login.

   We propose a simple change to TCP implementations that will block
   most sequence number guessing attacks.  More precisely, such attacks
   will remain possible if and only if the Bad Guy already has the
   ability to launch even more devastating attacks.





Bellovin                     Informational


Next >


Web Standards & Support:

Link to and support eLook.org Powered by LoadedWeb Web Hosting
Valid XHTML 1.0! Valid CSS! eLook.org FireFox Extensions