COMMAND

	Quantum SNAP  server  incremental  TCP  sequence  number  &  DoS  by
	fragment packets

SYSTEMS AFFECTED

	 Tested machine SNAPserver4100/160G

	 Hardware\'s version is 2.2.1, OS is 2.4.441(JP).

PROBLEM

	awacs@hawkeye found following bugs:
	

	 Problem 1 : incleasing  sequence number.

	 ========================================

	

	I had fingerprinted about TCP/IP  protocol  stack,  and  this  results,I
	think SNAP server\'s OS is *BSD. And, This  OS\'s  TCP  sequence  number
	was added 800 to previous number simply. So,  it\'s  easy  to  spoof  IP
	connection.
	

	

	 Problem 2 : DoS attack by fragment packet.

	 ==========================================

	

	When I searched open  port,  I  used  nmap  with  -f  option.  And  some
	minuites after run  nmap,  SNAP  server  is  down.  I  searched  bugtraq
	archive,           I           found            this            article.
	http://www.securityfocus.com/archive/1/187411 From this article,  NetBSD
	had vulnerability, and I think SNAP server had same problem.

SOLUTION

	Use firewall(or other  protect  method)  to  protect  against  malicious
	user(s). Or ask vender:-)
	

	 Vender status

	 ==============

	

	I reported this problem to Quantum\'s japanese region,  and  I  recieved
	answer. He said,\" We will print about this problem  on  WWW.  and  next
	version of SNAPserver, We will change OS from BSD to Linux.  So,  please
	wait to  release  advisory  until  the  next  year(2002).\"  After  this
	comment, I don\'t get any infomation from vender. I don\'t know  whether
	it was revised or not.