%!PS
%%Version: 3.3.2
%%DocumentFonts: (atend)
%%Pages: (atend)
%%EndComments
%
% Version 3.3.2 prologue for troff files.
%
/#copies 1 store
/aspectratio 1 def
/formsperpage 1 def
/landscape false def
/linewidth .3 def
/magnification 1 def
/margin 0 def
/orientation 0 def
/resolution 720 def
/rotation 1 def
/xoffset 0 def
/yoffset 0 def
/roundpage true def
/useclippath true def
/pagebbox [0 0 612 792] def
/R  /Times-Roman def
/I  /Times-Italic def
/B  /Times-Bold def
/BI /Times-BoldItalic def
/H  /Helvetica def
/HI /Helvetica-Oblique def
/HB /Helvetica-Bold def
/HX /Helvetica-BoldOblique def
/CW /Courier def
/CO /Courier def
/CI /Courier-Oblique def
/CB /Courier-Bold def
/CX /Courier-BoldOblique def
/PA /Palatino-Roman def
/PI /Palatino-Italic def
/PB /Palatino-Bold def
/PX /Palatino-BoldItalic def
/Hr /Helvetica-Narrow def
/Hi /Helvetica-Narrow-Oblique def
/Hb /Helvetica-Narrow-Bold def
/Hx /Helvetica-Narrow-BoldOblique def
/KR /Bookman-Light def
/KI /Bookman-LightItalic def
/KB /Bookman-Demi def
/KX /Bookman-DemiItalic def
/AR /AvantGarde-Book def
/AI /AvantGarde-BookOblique def
/AB /AvantGarde-Demi def
/AX /AvantGarde-DemiOblique def
/NR /NewCenturySchlbk-Roman def
/NI /NewCenturySchlbk-Italic def
/NB /NewCenturySchlbk-Bold def
/NX /NewCenturySchlbk-BoldItalic def
/ZD /ZapfDingbats def
/ZI /ZapfChancery-MediumItalic def
/S  /S def
/S1 /S1 def
/GR /Symbol def
/inch {72 mul} bind def
/min {2 copy gt {exch} if pop} bind def
/show {show} bind def		% so later references don't bind
/widthshow {widthshow} bind def
/stringwidth {stringwidth} bind def
/setup {
	counttomark 2 idiv {def} repeat pop
	landscape {/orientation 90 orientation add def} if
	/scaling 72 resolution div def
	linewidth setlinewidth
	1 setlinecap
	pagedimensions
	xcenter ycenter translate
	orientation rotation mul rotate
	width 2 div neg height 2 div translate
	xoffset inch yoffset inch neg translate
	margin 2 div dup neg translate
	magnification dup aspectratio mul scale
	scaling scaling scale
	addmetrics
	0 0 moveto
} def
/pagedimensions {
	useclippath userdict /gotpagebbox known not and {
		/pagebbox [clippath pathbbox newpath] def
		roundpage currentdict /roundpagebbox known and {roundpagebbox} if
	} if
	pagebbox aload pop
	4 -1 roll exch 4 1 roll 4 copy
	landscape {4 2 roll} if
	sub /width exch def
	sub /height exch def
	add 2 div /xcenter exch def
	add 2 div /ycenter exch def
	userdict /gotpagebbox true put
} def
/addmetrics {
	/Symbol /S null Sdefs cf
	/Times-Roman /S1 StandardEncoding dup length array copy S1defs cf
} def
/pagesetup {
	/page exch def
	currentdict /pagedict known currentdict page known and {
		page load pagedict exch get cvx exec
	} if
} def
/decodingdefs [
	{counttomark 2 idiv {y moveto show} repeat}
	{neg /y exch def counttomark 2 idiv {y moveto show} repeat}
	{neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat}
	{neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat}
	{counttomark 2 idiv {y moveto show} repeat}
	{neg setfunnytext}
] def
/setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def
/w {neg moveto show} bind def
/m {neg dup /y exch def moveto} bind def
/done {/lastpage where {pop lastpage} if} def
/f {
	dup /font exch def findfont exch
	dup /ptsize exch def scaling div dup /size exch def scalefont setfont
	linewidth ptsize mul scaling 10 mul div setlinewidth
	/spacewidth ( ) stringwidth pop def
} bind def
/changefont {
	/fontheight exch def
	/fontslant exch def
	currentfont [
		1 0
		fontheight ptsize div fontslant sin mul fontslant cos div
		fontheight ptsize div
		0 0
	] makefont setfont
} bind def
/sf {f} bind def
/cf {
	dup length 2 idiv
	/entries exch def
	/chtab exch def
	/newencoding exch def
	/newfont exch def
	findfont dup length 1 add dict
	/newdict exch def
	{1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall
	newencoding type /arraytype eq {newdict /Encoding newencoding put} if
	newdict /Metrics entries dict put
	newdict /Metrics get
	begin
		chtab aload pop
		1 1 entries {pop def} for
		newfont newdict definefont pop
	end
} bind def
%
% A few arrays used to adjust reference points and character widths in some
% of the printer resident fonts. If square roots are too high try changing
% the lines describing /radical and /radicalex to,
%
%	/radical	[0 -75 550 0]
%	/radicalex	[-50 -75 500 0]
%
% Move braceleftbt a bit - default PostScript character is off a bit.
%
/Sdefs [
	/bracketlefttp		[201 500]
	/bracketleftbt		[201 500]
	/bracketrighttp		[-81 380]
	/bracketrightbt		[-83 380]
	/braceleftbt		[203 490]
	/bracketrightex		[220 -125 500 0]
	/radical		[0 0 550 0]
	/radicalex		[-50 0 500 0]
	/parenleftex		[-20 -170 0 0]
	/integral		[100 -50 500 0]
	/infinity		[10 -75 730 0]
] def
/S1defs [
	/underscore		[0 80 500 0]
	/endash			[7 90 650 0]
] def
%
% Tries to round clipping path dimensions, as stored in array pagebbox, so they
% match one of the known sizes in the papersizes array. Lower left coordinates
% are always set to 0.
%
/roundpagebbox {
    7 dict begin
	/papersizes [8.5 inch 11 inch 14 inch 17 inch] def
	/mappapersize {
		/val exch def
		/slop .5 inch def
		/diff slop def
		/j 0 def
		0 1 papersizes length 1 sub {
			/i exch def
			papersizes i get val sub abs
			dup diff le {/diff exch def /j i def} {pop} ifelse
		} for
		diff slop lt {papersizes j get} {val} ifelse
	} def
	pagebbox 0 0 put
	pagebbox 1 0 put
	pagebbox dup 2 get mappapersize 2 exch put
	pagebbox dup 3 get mappapersize 3 exch put
    end
} bind def
%%EndProlog
%%BeginSetup
mark
/linewidth 0.5 def
/#copies 1 store
/landscape false def
/resolution 720 def
%
% Encoding vector and redefinition of findfont for the ISO Latin1 standard.
% The 18 characters missing from ROM based fonts on older printers are noted
% below.
%
/ISOLatin1Encoding [
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/space
	/exclam
	/quotedbl
	/numbersign
	/dollar
	/percent
	/ampersand
	/quoteright
	/parenleft
	/parenright
	/asterisk
	/plus
	/comma
	/minus
	/period
	/slash
	/zero
	/one
	/two
	/three
	/four
	/five
	/six
	/seven
	/eight
	/nine
	/colon
	/semicolon
	/less
	/equal
	/greater
	/question
	/at
	/A
	/B
	/C
	/D
	/E
	/F
	/G
	/H
	/I
	/J
	/K
	/L
	/M
	/N
	/O
	/P
	/Q
	/R
	/S
	/T
	/U
	/V
	/W
	/X
	/Y
	/Z
	/bracketleft
	/backslash
	/bracketright
	/asciicircum
	/underscore
	/quoteleft
	/a
	/b
	/c
	/d
	/e
	/f
	/g
	/h
	/i
	/j
	/k
	/l
	/m
	/n
	/o
	/p
	/q
	/r
	/s
	/t
	/u
	/v
	/w
	/x
	/y
	/z
	/braceleft
	/bar
	/braceright
	/asciitilde
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/.notdef
	/dotlessi
	/grave
	/acute
	/circumflex
	/tilde
	/macron
	/breve
	/dotaccent
	/dieresis
	/.notdef
	/ring
	/cedilla
	/.notdef
	/hungarumlaut
	/ogonek
	/caron
	/space
	/exclamdown
	/cent
	/sterling
	/currency
	/yen
	/brokenbar		% missing
	/section
	/dieresis
	/copyright
	/ordfeminine
	/guillemotleft
	/logicalnot
	/hyphen
	/registered
	/macron
	/degree			% missing
	/plusminus		% missing
	/twosuperior		% missing
	/threesuperior		% missing
	/acute
	/mu			% missing
	/paragraph
	/periodcentered
	/cedilla
	/onesuperior		% missing
	/ordmasculine
	/guillemotright
	/onequarter		% missing
	/onehalf		% missing
	/threequarters		% missing
	/questiondown
	/Agrave
	/Aacute
	/Acircumflex
	/Atilde
	/Adieresis
	/Aring
	/AE
	/Ccedilla
	/Egrave
	/Eacute
	/Ecircumflex
	/Edieresis
	/Igrave
	/Iacute
	/Icircumflex
	/Idieresis
	/Eth			% missing
	/Ntilde
	/Ograve
	/Oacute
	/Ocircumflex
	/Otilde
	/Odieresis
	/multiply		% missing
	/Oslash
	/Ugrave
	/Uacute
	/Ucircumflex
	/Udieresis
	/Yacute			% missing
	/Thorn			% missing
	/germandbls
	/agrave
	/aacute
	/acircumflex
	/atilde
	/adieresis
	/aring
	/ae
	/ccedilla
	/egrave
	/eacute
	/ecircumflex
	/edieresis
	/igrave
	/iacute
	/icircumflex
	/idieresis
	/eth			% missing
	/ntilde
	/ograve
	/oacute
	/ocircumflex
	/otilde
	/odieresis
	/divide			% missing
	/oslash
	/ugrave
	/uacute
	/ucircumflex
	/udieresis
	/yacute			% missing
	/thorn			% missing
	/ydieresis
] def
/NewFontDirectory FontDirectory maxlength dict def
%
% Apparently no guarantee findfont is defined in systemdict so the obvious
%
%	systemdict /findfont get exec
%
% can generate an error. So far the only exception is a VT600 (version 48.0).
%
userdict /@RealFindfont known not {
	userdict begin
		/@RealFindfont systemdict begin /findfont load end def
	end
} if
/findfont {
	dup NewFontDirectory exch known not {
		dup
		%dup systemdict /findfont get exec	% not always in systemdict
		dup userdict /@RealFindfont get exec
		dup /Encoding get StandardEncoding eq {
			dup length dict begin
				{1 index /FID ne {def}{pop pop} ifelse} forall
				/Encoding ISOLatin1Encoding def
				currentdict
			end
			/DummyFontName exch definefont
		} if
		NewFontDirectory 3 1 roll put
	} if
	NewFontDirectory exch get
} bind def
setup
2 setdecoding
%%EndSetup
%%Page: 0 1
/saveobj save def
mark
1 pagesetup
12 B f
(A Weakness in the 4.2BSD Unix)5 1641 1 1573 1230 t
12 S1 f
(\262)3214 1230 w
12 B f
(TCP/IP Software)1 882 1 3304 1230 t
10 I f
(Robert T. Morris)2 681 1 2539 1470 t
10 R f
(AT&T Bell Laboratories)2 993 1 2383 1650 t
(Murray Hill, New Jersey 07974)4 1267 1 2246 1770 t
10 I f
(ABSTRACT)2643 2270 w
10 R f
( of the Unix operating system \(4.2BSD for)7 1746(The 4.2 Berkeley Software Distribution)4 1604 2 1330 2530 t
( software based on the "TCP/IP" family of protocols.)8 2148(short\) features an extensive body of)5 1452 2 1080 2650 t
( "trusts" some set of other systems, allowing users)8 2158(In particular, each 4.2BSD system)4 1442 2 1080 2770 t
( TCP/IP network without supply\255)4 1354(logged into trusted systems to execute commands via a)8 2246 2 1080 2890 t
( notes describe how the design of TCP/IP and the 4.2BSD imple\255)11 2670( These)1 294(ing a password.)2 636 3 1080 3010 t
( very distant hosts to masquerade as users)7 1667(mentation allow users on untrusted and possibly)6 1933 2 1080 3130 t
( Labs has a growing TCP/IP network connecting machines with)9 2685( Bell)1 232(on trusted hosts.)2 683 3 1080 3250 t
( perhaps steps should be taken to reduce their vulnerability to each)11 2670(varying security needs;)2 930 2 1080 3370 t
(other.)1080 3490 w
(February 25, 1985)2 735 1 720 3970 t
10 S1 f
(_ ______________)1 720 1 720 6600 t
8 S1 f
(\262)720 6700 w
8 R f
(Unix is a Trademark of AT&T Bell Laboratories.)7 1574 1 780 6700 t
cleartomark
showpage
saveobj restore
%%EndPage: 0 1
%%Page: 1 2
/saveobj save def
mark
2 pagesetup
12 B f
(A Weakness in the 4.2BSD Unix)5 1641 1 1573 1230 t
12 S1 f
(\262)3214 1230 w
12 B f
(TCP/IP Software)1 882 1 3304 1230 t
10 I f
(Robert T. Morris)2 681 1 2539 1470 t
10 R f
(AT&T Bell Laboratories)2 993 1 2383 1650 t
(Murray Hill, New Jersey 07974)4 1267 1 2246 1770 t
( "TCP/IP" network protocol standard was designed in 1979 to implement an)11 3066(The Defense Department)2 1004 2 970 2046 t
( of networks, highly variable in reliability and speed, connected by computers acting as)13 3564("internet": a group)2 756 2 720 2166 t
( of the more popular Unix TCP/IP implementations comes with the 4.2BSD system, used)13 3699(gateways. One)1 621 2 720 2286 t
( Unix TCP/IP software is very)5 1253( 4.2BSD)1 354( The)1 214(both within Bell Labs and on Defense Department networks.)8 2499 4 720 2406 t
( The)1 217( security.)1 378(flexible and convenient, but places too much trust in a protocol which provides very little)14 3725 3 720 2526 t
( the system it runs on, and is not dependant on the hard\255)12 2294(attack described here requires no modifications to)6 2026 2 720 2646 t
(ware of the network involved.)4 1200 1 720 2766 t
( Protocol" and an "Internet Pro\255)5 1271(TCP/IP conceptually divides into two layers, a "Transmission Control)8 2799 2 970 2922 t
( IP layer)2 342(tocol". The)1 473 2 720 3042 t
8 R f
(1)1548 2992 w
10 R f
( one host to another, via networks and gate\255)8 1768(sends packets of data \("datagrams"\) from)5 1657 2 1615 3042 t
( TCP)1 235(ways interconnecting them.)2 1103 2 720 3162 t
8 R f
(2)2071 3112 w
10 R f
( providing reliable)2 742(supports a number of "ports" on each host running IP,)9 2161 2 2137 3162 t
(and flow controlled "virtual circuits" between these ports; TCP circuits are built on top of the IP datagram)17 4320 1 720 3282 t
( of control information followed by data; in the)8 1975( TCP or IP packet consists of a header full)9 1779(service. Each)1 566 3 720 3402 t
( important)1 416( The)1 207( TCP the data is supplied by the user, while the data in an IP packet is a TCP packet.)19 3415(case of)1 282 4 720 3522 t
( an)1 139(parts of the TCP header are a source port number, a destination port number, a sequence number,)16 4181 2 720 3642 t
( numbers identify which virtual circuit is involved, the)8 2187( port)1 188( The)1 207(acknowledgement number, and some flags.)4 1738 4 720 3762 t
( correct order, and the flags)5 1171(sequence and acknowledgement numbers ensure that data is received in the)10 3149 2 720 3882 t
( IP header consists primarily of source and destination host identi\255)10 2687( An)1 176(affect the state of the virtual circuit.)6 1457 3 720 4002 t
( is also a protocol num\255)5 951( There)1 284( a host and a network.)5 886(fiers; these are 32 bit numbers which uniquely indicate)8 2199 4 720 4122 t
(ber indicating which protocol layer \(e.g. TCP\) IP should direct the packet data to.)13 3256 1 720 4242 t
( port)1 202(4.2BSD provides a remote execution "server", which listens for TCP connection requests on)12 3868 2 970 4398 t
( a machine, the server checks that the originating host is "trusted" by)12 2826( such a request arrives at)5 1023(514. When)1 471 3 720 4518 t
( the source host is OK, the)6 1093( If)1 122( the IP header to a list of trusted computers.)9 1796(comparing the source host ID in)5 1309 4 720 4638 t
( weakness in)2 524( The)1 212( provides.)1 401(server reads a user id and a command to execute from the virtual circuit TCP)14 3183 4 720 4758 t
( itself fills in the IP source host id, and there is no provision in 4.2BSD or)16 2960(this scheme is that the source host)6 1360 2 720 4878 t
(TCP/IP to discover the true origin of a packet.)8 1845 1 720 4998 t
( way to produce TCP/IP packets with incorrect source host id's would be to talk directly to)16 3693(The ideal)1 377 2 970 5154 t
( forge)1 236( provides no such network interface, so other means must be sought to)12 2834( 4.2BSD)1 372(the network involved.)2 878 4 720 5274 t
( allow privileged users to send IP packets, though; with mini\255)10 2497( does)1 211( 4.2BSD)1 373(packets from 4.2BSD systems.)3 1239 4 720 5394 t
( IP kernel code can be made to supply the correct protocol number \(6\), and an incorrect host)17 3765(mal effort the)2 555 2 720 5514 t
( a 4.2BSD "socket" with type "SOCK)6 1569( details involve creating)3 984( The)1 214(id, in the IP header.)4 818 4 720 5634 t
10 S f
(_)4305 5634 w
10 R f
(RAW", and then)2 685 1 4355 5634 t
(writing on the kernel data structures to change the protocol number associated with "SOCK)13 3798 1 720 5754 t
10 S f
(_)4518 5754 w
10 R f
(RAW" to 6)2 472 1 4568 5754 t
( that at least)3 504( requires privileges; however, it is likely)6 1654( This)1 235(\(that of TCP\) and to change the source host id.)9 1927 4 720 5874 t
( a determined)2 565(one system on a large network will be insecure enough to supply appropriate powers after)14 3755 2 720 5994 t
(attack.)720 6114 w
( a TCP circuit without)4 897(With appropriate access to IP, a user process can create and manage one end of)14 3173 2 970 6270 t
( detect inaccurate)2 721( TCP header contains a checksum to)6 1531( Each)1 262(using the TCP software in the Unix kernel.)7 1806 4 720 6390 t
( IP header.)2 455( checksum covers not only the TCP header and data, but also some of the)14 3094(transmission. This)1 771 3 720 6510 t
( the IP header with which the kernel will encapsulate)9 2169(Hence the user software must predict the contents of)8 2151 2 720 6630 t
8 S1 f
(__________________)720 6730 w
(\262)720 6830 w
8 R f
(Unix is a Trademark of AT&T Bell Laboratories.)7 1574 1 780 6830 t
(1. RFC 791, University of Southern California ISI,)7 1622 1 720 6930 t
(Marina del Ray, Cal. 90291)4 886 1 780 7030 t
(2. RFC 793, Sept 1981)4 735 1 720 7130 t
10 R f
(February 25, 1985)2 735 1 2500 7680 t
cleartomark
showpage
saveobj restore
%%EndPage: 1 2
%%Page: 2 3
/saveobj save def
mark
3 pagesetup
10 R f
(\255 2 \255)2 166 1 2797 480 t
( this stage, a user process can send individual TCP packets.)10 2369( At)1 150(the TCP packet.)2 641 3 720 840 t
( states are LISTEN, SYN)4 1148(The interesting TCP connection)3 1373 2 970 996 t
10 S f
(_)3491 996 w
10 R f
(SENT, SYN)1 534 1 3541 996 t
10 S f
(_)4075 996 w
10 R f
(RCVD, and ESTAB\255)2 915 1 4125 996 t
( packet flags)2 524( The)1 215( state.)1 243( TCP connection also maintains a sequence number as part of its)11 2698(LISHED. Each)1 640 5 720 1116 t
( num\255)1 240(SYN, ACK, and RST \(synchronize, acknowledge, and reset\), as well as the packet acknowledgement)13 4080 2 720 1236 t
( end of a connection starts by sending a SYN and entering SYN)12 2594( One)1 220(ber, affect the state.)3 795 3 720 1356 t
10 S f
(_)4329 1356 w
10 R f
(SENT; the other)2 661 1 4379 1356 t
( is represented by a)4 798( the abbreviated state table following, each message)7 2115( In)1 139(end starts out in LISTEN state.)5 1268 4 720 1476 t
( Each)1 264( the packet sequence number, the acknowledgement number, and possibly some data.)11 3575(packet flag,)1 481 3 720 1596 t
( possibly an error; each of the)6 1192(state/event combination usually leads to a packet being sent, a state change, or)12 3128 2 720 1716 t
( means the sequence number)4 1155( M)1 141( to be sent and a state to be entered.)9 1437(boxes in the diagram indicates a packet)6 1587 4 720 1836 t
( means the sequence number remembered as part of the state of the TCP port.)14 3138(of the packet just received; N)5 1182 2 720 1956 t
(For instance, M would refer to the X in the received packet ACK,X,Y.)12 2816 1 720 2076 t
10 S f
(_ __________________________________________________)1 2535 1 1612 2276 t
10 R f
(SYN,X,Y ACK,X,Y,data)1 1418 1 2484 2396 t
10 S f
(_ __________________________________________________)1 2535 1 1612 2406 t
(_ __________________________________________________)1 2535 1 1612 2426 t
10 R f
(LISTEN SYN,N++,M+1)1 1451 1 1662 2536 t
(SYN)2484 2656 w
10 S f
(_)2684 2656 w
10 R f
(RCVD error)1 765 1 2734 2656 t
10 S f
(_ __________________________________________________)1 2535 1 1612 2676 t
10 R f
(SYN)1662 2796 w
10 S f
(_)1862 2796 w
10 R f
(SENT ACK,N,M+1)1 1100 1 1912 2796 t
(ESTABLISHED error)1 1015 1 2484 2916 t
10 S f
(_ __________________________________________________)1 2535 1 1612 2936 t
10 R f
(SYN)1662 3056 w
10 S f
(_)1862 3056 w
10 R f
(RCVD RST,N,M)1 967 1 1912 3056 t
(error ESTABLISHED)1 1494 1 2484 3176 t
10 S f
(_ __________________________________________________)1 2535 1 1612 3196 t
10 R f
( len)1 147( ACK,N,M+data)1 1071(ESTABLISHED RST,N,M)1 1217 3 1662 3316 t
(error ESTABLISHED)1 1494 1 2484 3436 t
(\(send data to user\))3 734 1 3306 3556 t
10 S f
( \347)1 -2535(_ __________________________________________________)1 2535 2 1612 3576 t
(\347)1612 3476 w
(\347)1612 3376 w
(\347)1612 3276 w
(\347)1612 3176 w
(\347)1612 3076 w
(\347)1612 2976 w
(\347)1612 2876 w
(\347)1612 2776 w
(\347)1612 2676 w
(\347)1612 2576 w
(\347)1612 2476 w
(\347)1612 2376 w
(\347)2399 3576 w
(\347)2399 3476 w
(\347)2399 3376 w
(\347)2399 3276 w
(\347)2399 3176 w
(\347)2399 3076 w
(\347)2399 2976 w
(\347)2399 2876 w
(\347)2399 2776 w
(\347)2399 2676 w
(\347)2399 2576 w
(\347)2399 2476 w
(\347)2399 2376 w
(\347)2419 3576 w
(\347)2419 3476 w
(\347)2419 3376 w
(\347)2419 3276 w
(\347)2419 3176 w
(\347)2419 3076 w
(\347)2419 2976 w
(\347)2419 2876 w
(\347)2419 2776 w
(\347)2419 2676 w
(\347)2419 2576 w
(\347)2419 2476 w
(\347)2419 2376 w
(\347)3231 3576 w
(\347)3231 3476 w
(\347)3231 3376 w
(\347)3231 3276 w
(\347)3231 3176 w
(\347)3231 3076 w
(\347)3231 2976 w
(\347)3231 2876 w
(\347)3231 2776 w
(\347)3231 2676 w
(\347)3231 2576 w
(\347)3231 2476 w
(\347)3231 2376 w
(\347)4147 3576 w
(\347)4147 3476 w
(\347)4147 3376 w
(\347)4147 3276 w
(\347)4147 3176 w
(\347)4147 3076 w
(\347)4147 2976 w
(\347)4147 2876 w
(\347)4147 2776 w
(\347)4147 2676 w
(\347)4147 2576 w
(\347)4147 2476 w
(\347)4147 2376 w
10 R f
( both sides of the connection are in the ESTABLISHED state, after)11 2800(Data is sent by ACK,N,M,data when)5 1520 2 720 3876 t
( are also other states and flags having to do with)10 1995( There)1 289( the length of the data.)5 928(which N is incremented by)4 1108 4 720 3996 t
(closing connections which are not relevant here.)6 1926 1 720 4116 t
( by 128 each second and by)6 1109(4.2BSD maintains a global initial sequence number, which is incremented)9 2961 2 970 4272 t
( a SYN packet)3 594( When)1 294(64 after each connection is started; each new connection starts off with this number.)13 3432 3 720 4392 t
( a host, the destination host will send the reply to the presumed source)13 2946(with a forged source is sent from)6 1374 2 720 4512 t
( number in that lost)4 798( forging host must discover or guess what the sequence)9 2259( The)1 211(host, not the forging host.)4 1052 4 720 4632 t
( ESTABLISHED state.)2 966(packet was, in order to acknowledge it and put the destination TCP port in the)14 3354 2 720 4752 t
( number is easy when the destination runs 4.2BSD; one need only create a real)14 3220(Guessing the lost sequence)3 1100 2 720 4872 t
( forging pro\255)2 528( the)1 155( Once)1 268(connection, look in the kernel for the sequence number received, and add 64 to it.)14 3369 4 720 4992 t
( connection is fully set up and data may be sent, though not)12 2433(gram acknowledges this sequence number, the)5 1887 2 720 5112 t
(received, by the program.)3 1022 1 720 5232 t
( disappear.)1 437(Unfortunately, the SYN packet sent by the destination to the putative source does not just)14 3633 2 970 5388 t
( a non\255existent circuit, and sends a packet with a RST flag to the)13 2600(The supposed source sees it as a packet on)8 1720 2 720 5508 t
( instance: Host A sends a)5 1072( For)1 202( throw away the forged circuit.)5 1295( causes the destination to)4 1047(destination. This)1 704 5 720 5628 t
( sends a SYN packet to C, and C sends a RST packet to)13 2285( B)1 122( the source was C.)4 749(forged packet to B, claiming)4 1164 4 720 5748 t
( generate RSTs)2 618( only ports on C that won't always)7 1401( The)1 208( throws away the circuit that A is forging to it.)10 1881(B. B)1 212 5 720 5868 t
( have finite)2 453( listening ports)2 601( Those)1 297(in this situation are those which are waiting, or listening, for connections.)11 2969 4 720 5988 t
( of connections waiting to be set up; if this queue length is exceeded, the requesting SYN)16 3757(length queues)1 563 2 720 6108 t
( originator is expected to resend the SYN)7 1692( The)1 211( be thrown away, but no reset will be generated.)9 1969(packet will)1 448 4 720 6228 t
( it)1 85( Thus)1 254( look the same.)3 617( that original SYN packets and response SYN packets)8 2176( Note)1 247(packet after timing out.)3 941 6 720 6348 t
( are coming from a port on the supposed source that)10 2074(suffices for the forging process to claim that the packets)9 2246 2 720 6468 t
(has a server listening for connections, and for the forger to flood that port with connection requests.)16 3976 1 720 6588 t
( named B, the source to)5 968(In summary, suppose the forging program is named A, its destination host is)12 3102 2 970 6744 t
( is number 514, the remote execution server's port; A will)10 2386( port on B involved)4 810( The)1 213(be forged is named C.)4 911 4 720 6864 t
( chain of events on A is)6 949( The)1 205(forge packets from port 21 on host C, which is usually waiting for connections.)13 3166 3 720 6984 t
(as follows:)1 436 1 720 7104 t
(February 25, 1985)2 735 1 2500 7680 t
cleartomark
showpage
saveobj restore
%%EndPage: 2 3
%%Page: 3 4
/saveobj save def
mark
4 pagesetup
10 R f
(\255 3 \255)2 166 1 2797 480 t
(Swamp port 21 on C with connection requests.)7 1871 1 1080 900 t
(Create a real connection to a port on B, and record the)11 2161 1 1080 1020 t
(sequence number returned by B.)4 1294 1 1330 1140 t
(Create a raw IP socket, change its protocol to that of TCP,)11 2327 1 1080 1260 t
(and change its source to C \(by writing in the kernel\).)10 2105 1 1330 1380 t
(Send a SYN packet from port 21 \(supposedly on C\) to port 514 on B.)14 2773 1 1080 1500 t
(\(A then sends a SYN to port 21 on C, which is silently ignored because)14 2850 1 1330 1620 t
(C's queue for 21 is full.\))5 982 1 1355 1740 t
(Send an ACK packet to B with the acknowledgement number equal to the)12 2957 1 1080 1860 t
(sequence number previously recorded plus 64.)5 1857 1 1330 1980 t
(Send data to B, taking care to increment the sequence number each time)12 2880 1 1080 2100 t
(by the amount of data sent. Port 514 expects a null, followed)11 2428 1 1330 2220 t
(by a user name, followed by a command.)7 1644 1 1330 2340 t
(If all goes well, and B trusts C, B will execute the command.)12 2434 1 1080 2460 t
(Accuracy has been sacrificed for clarity, such as it is.)9 2124 1 720 2760 t
( a)1 84( allows machines on)3 855( It)1 125(This scheme, with the details filled in, does in fact work fairly reliably.)12 3006 4 970 2916 t
( There)1 286( that "trusts" any other system.)5 1246(TCP/IP network to run commands on any connected 4.2BSD system)9 2788 3 720 3036 t
( that the forger must guess could be made very)9 1929( sequence numbers)2 771( The)1 211(are a number of possible defences.)5 1409 4 720 3156 t
( the forger can ask for an)6 1008( However,)1 442( a 32 bit word, so brute force search is unprofitable.)10 2082(random; they are in)3 788 4 720 3276 t
( number algorithm; at)3 902(arbitrarily large number of test connections to determine regularities in the random)11 3418 2 720 3396 t
( better approach might be to require that all)8 1730( A)1 123(best randomness will make the forger's job somewhat harder.)8 2467 3 720 3516 t
( is network hardware dependent, and in any case)8 2024( This)1 239(networks IP uses supply genuine source host id's.)7 2057 3 720 3636 t
( workable solution might be to only trust hosts on the same phys\255)12 2623( A)1 123( work if gateways are involved.)5 1263(will not)1 311 4 720 3756 t
( packets that claim to, but do not in fact, come from directly)12 2517(ical network, and modify gateways to reject)6 1803 2 720 3876 t
(connected networks.)1 820 1 720 3996 t
(February 25, 1985)2 735 1 2500 7680 t
cleartomark
showpage
saveobj restore
%%EndPage: 3 4
%%Trailer
done
%%Pages: 4
%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-Roman Symbol