Subject: Re: TCP sequence numbers.
To: Joachim Baran <firstname.lastname@example.org>
From: Bill Sommerfeld <email@example.com>
Date: 03/25/1999 10:59:33
> Hm, I think it's not exactly linear - I used tcpdump with option -x
> to view the packets directly. I've seen that with the time the SEQs
> increase with a very close algorithm to time.
> BTW: This's on 1.3.2 x86 and SPARC (Well - both the same
> source :>).
Are all the connections to the same 4-tuple (src host, src port, dst
host, dst port)? The iss should be completely random if any of the
4-tuple are different; otherwise, the iss should increase by a small,
but random amount for each connection.
Otherwise, see the following comment in tcp_subr.c:
* If we were asked to add some amount to a known value,
* we will take a random value obtained above, mask off the upper
* bits, and add in the known value. We also add in a constant to
* ensure that we are at least a certain distance from the original
* This is used when an old connection is in timed wait
* and we have a new one coming in, for instance.
The sequence numbers are still random in this case, but over a reduced
range, because they have to be (in order to prevent stale packets from
the old connection from being mistaken as belonging to the new one).
I think this is an acceptable tradeoff; the main reason for making ISS
values unpredictable is to defeat off-path active attacks (where an
attacker can't see what ISS's are in use between two hosts). If the
attacker already knows a valid sequence number for a given connection,
then they presumably are already in a position to hijack an existing