Saturday, 2 February 2013

Non-standard TCP/IP 3-way Handshakes


Non-standard TCP/IP 3-way Handshakes

Our first technique is known as ISN Sampling. This involves looking
for patterns in the Initial Sequence Numbers chosen by the target in
response to the first SYN request. These sequence numbers should be
random, but different OS’ react in characteristic ways:
• Random Increments (pseudo random) - e.g. Solaris, IRIX, FreeBSD,
Digital UNIX, CRAY.
• Time varied - Microsoft.
• Random - e.g. Linux, OpenVMS, AIX.
• Constant - 3Com, Apple LaserWriter.
An operating system's reaction to a SYN flood attack is also an
indicator of its type. Most OS' will hold only a limited number of
pending connections - in many cases this is 8, although Linux will
accept more. Therefore, by sending a number of forged SYN requests
followed by a test connection, we may be able establish at least the class
of the OS in question. SYN floods are often filtered by Firewalls, or may
cause the target to crash, so this is a conspicuous identification
technique.
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
  • Substitute Bytes Transformation
    Substitute Bytes Transformation Forward and Inverse Transformations The forward substitute byte transformation , called SubBytes,...
  • Finding the Greatest Common Divisor
    Finding the Greatest Common Divisor The Euclidean algorithm is based on the following theorem: For any nonnegative integer a and any...