Subject: Re: TCP sequence numbers.
To: Bill Sommerfeld <>
From: Steven M. Bellovin <>
List: tech-security
Date: 03/25/1999 11:04:58
In message <>, Bill Sommerfeld wri
> > Hm, I think it's not exactly linear - I used tcpdump with option -x
> > to view the packets directly. I've seen that with the time the SEQs
> > increase with a very close algorithm to time.
> > 
> >   BTW: This's on 1.3.2 x86 and SPARC (Well - both the same
> > source :>).
> Are all the connections to the same 4-tuple (src host, src port, dst
> host, dst port)?  The iss should be completely random if any of the
> 4-tuple are different; otherwise, the iss should increase by a small,
> but random amount for each connection.
> Otherwise, see the following comment in tcp_subr.c:
> 	/*
> 	 * If we were asked to add some amount to a known value,
> 	 * we will take a random value obtained above, mask off the upper
> 	 * bits, and add in the known value.  We also add in a constant to
> 	 * ensure that we are at least a certain distance from the original
> 	 * value.
> 	 *
> 	 * This is used when an old connection is in timed wait
> 	 * and we have a new one coming in, for instance.
> 	 */
> The sequence numbers are still random in this case, but over a reduced
> range, because they have to be (in order to prevent stale packets from
> the old connection from being mistaken as belonging to the new one).

Also see RFC 1948.