stcpb and dtcpb

[Carter Bullard]

Yes, they are the TCP base sequence numbers.  They are important for many, many reasons. Here are just a few.  Once you start to think about them, many ideas should come to mind.   The property that the a base TCP sequence number is globally random is a very interesting thing to consider (with great emphasis on the global).

The first simple use should be to discriminate between real and non-real TCP traffic.  A lot of scanners use the same stcpb or they use very poor techniques for choosing the base number in their hand-crafted packets.  So you can sometimes  identify in only a few records that something is up.  A sophisticated analysis can sometimes tell you the number of sources in a TCP-based DDOS attack. 
   
Many kernel based trojans, use poorly chosen dtcpb's (which are suppose to be random) in their responses and are dead giveaways.

At one time, TCP hijacking, based on base sequence number prediction, was popular, and it was easy to identify hosts that were susceptible by looking at stcpb's from just a few argus records.  This is now a part of many OS fingerprinting strategies.

And I use them to globally track TCP connections through multiple NATs.  

So, your intuition is correct.

Carter
  

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "CS Lee" <geek00l at gmail.com>

Date: Fri, 16 Nov 2007 10:02:47 
To:Argus <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] stcpb and dtcpb


Hi Carter,

After poking with stcpb and dtcpb metric, i figure it is useful for tcp session tracking, as far as I know the stcpb metric is actually based on the initial sequence number in that particular connection setup and the dtcpb is the sequence number seen in the syn+ack packet from the destination. 

And I would like to know if my assumption is right. Thanks.





-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>



http://geek00l.blogspot.com <http://geek00l.blogspot.com>