netbsd-bugs: IP source address security issue

Subject: IP source address security issue
To: None <netbsd-bugs@NetBSD.ORG>
From: Lawrence E. Freil <lef@woods.com>
List: netbsd-bugs
Date: 01/26/1995 13:37:36
Hello,
    I've made some relatively simple changes to the TCP connection =
sequence that
should make the source IP address spoofing  method of system intrusion =
much more
difficult.  What I've done is simply modify the iss (initial starting =
sequence) number
to be a random value using the "random" function in libkern.   I also had =
to modify
random.c so that the seed value was a little less predictable (otherwise =
the sequence
of random numbers becomes predictable).  This should stop any attempts at =
breaking
into the system by guessing the ISS value (the most common approach). =20

The changes I've made are as follows:

*** /sys/netinet/Otcp_usrreq.c  Thu Jan 26 13:25:18 1995
--- /sys/netinet/tcp_usrreq.c   Thu Jan 26 13:37:34 1995
***************
*** 196,202 ****
                tcpstat.tcps_connattempt++;
                tp->t_state =3D TCPS_SYN_SENT;
                tp->t_timer[TCPT_KEEP] =3D TCPTV_KEEP_INIT;
!               tp->iss =3D tcp_iss; tcp_iss +=3D TCP_ISSINCR/2;
                tcp_sendseqinit(tp);
                error =3D tcp_output(tp);
                break;
--- 196,225 ----
                tcpstat.tcps_connattempt++;
                tp->t_state =3D TCPS_SYN_SENT;
                tp->t_timer[TCPT_KEEP] =3D TCPTV_KEEP_INIT;
!               tp->iss =3D tcp_iss;
! #ifdef ORIGONAL_TCP_ISS
!               tcp_iss +=3D TCP_ISSINCR/2;
! #else
!               /*
!                * This is where the initial connection sequence
!                * number is set.  I'm modifying this to set it to
!                * a random sequence.  I can't use just the random
!                * number here because that could be predicted as well
!                * by knowing the random number generator sequence.
!                * What I use is a combination of the time in microseconds
!                * plus the random number generator and the previous =
tcp_iss.
!                * This will slow down the code a little for a TCP =
connection
!                * setup, but it is a small price to pay and since =
frequently
!                * a session setup is slow anyway, it isn't likely that
!                * the difference will be noticable.
!                */
!               if (1) {
!                 struct timeval avt;
!=20
!                 microtime(&avt);
!                 tcp_iss =3D (tcp_iss + avt.tv_usec + random()) & =
0x7fffffff;
!               }
! #endif
                tcp_sendseqinit(tp);
                error =3D tcp_output(tp);
                break;
        Lawrence Freil                      Usenet/DDN:lef@woods.com
        Essential Technical Services Inc.   or lef@dogwood.atl.ga.us
        1768 Old Country Place              Phone:(404) 667-9274
        Woodstock, GA 30188