Subject: TCP sequence numbers.
To: None <>
From: Joachim Baran <>
List: tech-security
Date: 03/21/1999 10:44:01

  On my last journey thru the great unknown world of
Unices I encountered that NetBSD manages it's TCP
sequence numbers in a linear way to time.

  I would say that sequence numbers received on SYN
packets are guessable. Not very precisely but it's
possible to predict a range of SYN numbers that
are very likely to be sent (and that aren't all
2^32 possibilities :>).

  With some testing I was able to spoof a whole
connection (so: SYN, than ACK and so on till the
last packet). Maybe it would be better to use
some more random like? Was this already in
discussion? I know that random like SEQs would
be slower, but not everyone is using ssh or
similar and telnet, smtp and others are to
weak to avoid such spoofed packets.

  Hope that's not to lame for this list...

Joachim Baran         
31171 Mahlerten                       Network Administration
Lower Saxony/Germany                         and Programming