> >From the logged values and the source code we can deduce that the last > two packets from the SSH server (that.host) to the client (this.host) > were seen (by pf, in the kernel) exactly > delta_ts.tv_sec == 120 > delta_ts.tv_usec == 82719 > apart. This approximately matches the difference in the bpf log, too. > So, between those two subsequent packets, the server incremented its > timestamp by > delta_tsval == 1424952994 - 1424712993 == 240001 > within the timespan of > delta_usec == 120 * 1000000 + 82719 == 2082719 > which means it incremented its timestamp with a frequency of about > ts_freq == 240001 / 2082719 usec ~= 115 kHz
If I was to see this in the wild I would conclude it's a blind hijacking attempt. If a spoofer gets a packet inside the sequence window with a significantly higher timestamp then the victim will start ignoring the packets from the original host with the smaller timestamps. That lets the blind spoofer take over the TCP connection without the ACK storm that typically results from out-of-line hjiacking. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
