[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

Collaborative Computational Project Number 14

for Single Crystal and Powder Diffraction

CCP14

Server Security Information

Configuring SGI O2 IRIX 6.5.x to make the TCP Sequence Prediction less predictable

The CCP14 Homepage is at http://www.ccp14.ac.uk

[Back to CCP14 Web/Config Main Page]

[Security Links Homepage] | [To FTP secure shell Tunnelling Page] | [To X secure shell Tunnelling] | [Routine Windows to UNIX Web updating using Rsync] | [Secure Routine Windows to UNIX Web updating using Teraterm and Rsync]

What the point of this?

To help make the SGI O2 IRIX Webserver system slightly more secure. When doing a scan with the latest nmap for UNIX scanning software (http://www.insecure.org/nmap/index.html), this gives the response:
TCP Sequence Prediction: Class=64K rule
                         Difficulty=1 (Trivial joke)

From: The Hurdy Gurdy Man [bryan@tep12.ucsd.edu]
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Newsgroups: comp.sys.sgi.admin
References: [l.cranswick.471.0648D177@dl.ac.uk]
Date: Fri, 14 Apr 2000 04:20:21 GMT
Organization: EarthLink Inc. -- http://www.EarthLink.net
Xref: daresbury comp.sys.sgi.admin:90511


Lachlan Cranswick  wrote:

> Main question:  with IRIX 6.5.7 - is there a webpage - description
> for making the TCP Sequence Prediction less predictable?
>
> TCP Sequence Prediction: Class=64K rule
>                          Difficulty=1 (Trivial joke)

Use systune to change the kernel tunable parameter "tcpiss_md5" to 1.  As
far as a web page talking about it goes, I'm sure there's some
documentation someplace on techpubs.sgi.com, but personally I find it
easier just to read through the comments in the files stored in
/var/sysgen/mtune until I find one that does what I want.  Check through
systune documentation; also, the "IRIX Admin: System Configuration and
Operation" online book (which should also be on techpubs) has lots of good
info too.

                                                        Bryan
Date: Mon, 17 Apr 2000 18:54:41 GMT
Newsgroups: comp.sys.sgi.admin
From: Mike O'Connor [mjo@dojo.mi.org]
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Reply-To: Mike O'Connor [mjo@dojo.mi.org]
Organization: Sonic Death Monkey


In article [A0JK4.9109$nb2.196407@vixen.cso.uiuc.edu],
Remove NO_SPAM to reply [mNeOn_sScPhAeMr@uiuc.edu] wrote:
:> Use systune to change the kernel tunable parameter "tcpiss_md5" to 1.  As
:> far as a web page talking about it goes, I'm sure there's some
:> documentation someplace on techpubs.sgi.com, but personally I find it
:> easier just to read through the comments in the files stored in
:> /var/sysgen/mtune until I find one that does what I want.  Check through
:> systune documentation; also, the "IRIX Admin: System Configuration and
:> Operation" online book (which should also be on techpubs) has lots of good
:> info too.
:
:What are the performance impacts of doing this?  Based on my
:understanding of TCP and sequence numbers, it seems the MD5 would
:only be done once per connection, so the performance hit shouldn't
:be too bad.  Can anyone verify this with experimental results?

My limited testing with this way back when showed no perceivable 
difference in performance.  But performance in some corner case
is probably the reason why some vendors have this as a system 
tunable off by default.
 
--
 Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org
 Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481
Sender: Damian Menscher [menscher@intellx1.physics.uiuc.edu]
From: mNeOn_sScPhAeMr@uiuc.edu (Remove NO_SPAM to reply)
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Newsgroups: comp.sys.sgi.admin
Date: Tue, 18 Apr 2000 23:18:18 GMT
Organization: University of Illinois at Urbana-Champaign


Lachlan Cranswick [l.cranswick@dl.ac.uk] wrote:
> Following is a scan on my SGI O2 webserver running
> IRIX 6.5.7 with the latest nmap 
> http://www.insecure.org/nmap/index.html
>   (using the -O option to try and detect the operating system)

> Main question:  with IRIX 6.5.7 - is there a webpage - description
> for making the TCP Sequence Prediction

> TCP Sequence Prediction: Class=64K rule
>                          Difficulty=1 (Trivial joke)
> No OS matches for host (If you know what OS is running on it, see http://www.ins
> ecure.org/cgi-bin/nmap-submit.cgi).
> TCP/IP fingerprint:
> TSeq(Class=64K)
> TSeq(Class=RI%gcd=80%SI=C8)
> TSeq(Class=64K)
> T1(Resp=Y%DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM)
> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT)
> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> PU(Resp=N)

I've noticed that the difficulty level (and even the class!) changes
during multiple runs of nmap.  I've been experimenting with this a
bit, and tried to get more stable results by basing the prediction on
a longer sequence of numbers (ie, 100 instead of 6).  I also got it
to print out the differences between subsequent numbers.  I found some
interesting results:

The offset is almost always a 64K rule, but an also be an 800 rule or
any of various other possible rules, including time dependant or (once)
truly random.  I think I'm finally starting to understand what SGI
meant in the file /var/sysgen/mtune/bsd:

* RFC1948: security fix for TCP source address spoofing by
* randomizing the low order bits of ISS (Initial Sequence number)
* using MD5
*  1 = use combination of MD5 and (nanotime, source/dst IP address/port
*      values and some dynamically changing virtual addresses) to
*      randomize ISS
*  0 = use just the nanotime and some dynamically changing virtual address
*      values to randomize ISS.   This is the default and by itself is
*      quite safe from source address spoofing.

The "dynamically changing virtual address values" (whatever _those_
are) must be changing on a time scale that's a bit longer than that of
the nmap scan.  So when nmap takes 6 sequence numbers they usually
differ only by the nanotime part of the rule.  But when you try to take
more numbers then the "dynamically changing" part bites you.

Which makes me wonder if SGI is really as silly as I had initially
thought.  Perhaps predicting their sequence isn't a "Trivial joke"
after all?

In the end, I'll probably still switch to using MD5.  Even though there
is more randomness in the default option than nmap gives it credit for,
I would assume that randomness on such a long time-scale isn't really
useful.

Comments?

Damian Menscher
-- 
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## [menscher@uiuc.edu] www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
Date: Wed, 19 Apr 2000 01:20:05 GMT
Newsgroups: comp.sys.sgi.admin
From: Mike O'Connor [mjo@dojo.mi.org]
Subject: Re: IRIX 6.5.7: Making the TCP Sequence Prediction less predictable????
Organization: Sonic Death Monkey

You'll find that it's platform-specific...  you'll almost never get
nmap to show "trivial" sequence # prediction using an SGI that's
suitably fast, like an R10k something-or-other.

--
 Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: mjo@dojo.mi.org
 Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-848-4481








As root run systune -i

tcpiss_md5 = 1

quit

DONE!

Now check with nmap security scanner:

computer_name 103# nmap -sS -O computer_name

Result:

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3622 (Formidable)
Remote operating system guess: IRIX 6.5.7f

The following does not seem to work? Thus write the above systune option which does not require a reboot to activate!

Change directory to the /var/system/mtune directory:

cd /var/sysgen/mtune

Make the bsd file writable.

chmod +w bsd

Edit the bsd file.

vi bsd

Search for the term tcpiss_md5

/ tcpiss_md5 This gives the following section (description on top may be missing):

*
* RFC1948: security fix for TCP source address spoofing by
* randomizing the low order bits of ISS (Initial Sequence number)
* using MD5
*  1 = use combination of MD5 and (nanotime, source/dst IP address/port
*      values and some dynamically changing virtual addresses) to
*      randomize ISS
*  0 = use just the nanotime and some dynamically changing virtual address
*      values to randomize ISS.   This is the default and by itself is
*      quite safe from source address spoofing.
*
* name                  default         minimum   maximum
tcpiss_md5                      0       0       1

Set default and minimum to 1 to maximize randomizing of the source address.

* name                  default         minimum   maximum
tcpiss_md5                      1       1       1

Make the bsd file non-writable again.

chmod -w bsd

Run /etc/autoconfig to configure the kernel prior to rebooting (saves on down time during the reboot)

Run /etc/init 6 to reboot the machine.

Hopefully this will work and make you happy. If not, reset the above /var/sysgen/mtune/bsd config and autoconfig and reboot back to the previous kernel (there are other methods to get back to a previous kernel).


[Back to CCP14 Web/Config Main Page]

[Security Links Homepage] | [To FTP secure shell Tunnelling Page] | [To X secure shell Tunnelling] | [Routine Windows to UNIX Web updating using Rsync] | [Secure Routine Windows to UNIX Web updating using Teraterm and Rsync]

[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

If you have any queries or comments, please feel free to contact the CCP14