very odd PF + FreeBSD6.0 problems
Mike Frantzen
frantzen at openbsd.org
Fri Dec 16 11:05:05 PST 2005
> >From the logged values and the source code we can deduce that the last
> two packets from the SSH server (that.host) to the client (this.host)
> were seen (by pf, in the kernel) exactly
> delta_ts.tv_sec == 120
> delta_ts.tv_usec == 82719
> apart. This approximately matches the difference in the bpf log, too.
> So, between those two subsequent packets, the server incremented its
> timestamp by
> delta_tsval == 1424952994 - 1424712993 == 240001
> within the timespan of
> delta_usec == 120 * 1000000 + 82719 == 2082719
> which means it incremented its timestamp with a frequency of about
> ts_freq == 240001 / 2082719 usec ~= 115 kHz
If I was to see this in the wild I would conclude it's a blind hijacking
attempt. If a spoofer gets a packet inside the sequence window with a
significantly higher timestamp then the victim will start ignoring the
packets from the original host with the smaller timestamps. That lets
the blind spoofer take over the TCP connection without the ACK storm
that typically results from out-of-line hjiacking.
.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28
More information about the freebsd-pf
mailing list