Subject: Re: TCP sequence numbers.
To: Joachim Baran <>
From: Bill Sommerfeld <>
List: tech-security
Date: 03/25/1999 10:59:33
> Hm, I think it's not exactly linear - I used tcpdump with option -x
> to view the packets directly. I've seen that with the time the SEQs
> increase with a very close algorithm to time.
>   BTW: This's on 1.3.2 x86 and SPARC (Well - both the same
> source :>).

Are all the connections to the same 4-tuple (src host, src port, dst
host, dst port)?  The iss should be completely random if any of the
4-tuple are different; otherwise, the iss should increase by a small,
but random amount for each connection.

Otherwise, see the following comment in tcp_subr.c:

	 * If we were asked to add some amount to a known value,
	 * we will take a random value obtained above, mask off the upper
	 * bits, and add in the known value.  We also add in a constant to
	 * ensure that we are at least a certain distance from the original
	 * value.
	 * This is used when an old connection is in timed wait
	 * and we have a new one coming in, for instance.

The sequence numbers are still random in this case, but over a reduced
range, because they have to be (in order to prevent stale packets from
the old connection from being mistaken as belonging to the new one).

I think this is an acceptable tradeoff; the main reason for making ISS
values unpredictable is to defeat off-path active attacks (where an
attacker can't see what ISS's are in use between two hosts).  If the
attacker already knows a valid sequence number for a given connection,
then they presumably are already in a position to hijack an existing

					- Bill