On Thu, 25 Mar 1999, Bill Sommerfeld wrote:
> Are all the connections to the same 4-tuple (src host, src port, dst
> host, dst port)?  The iss should be completely random if any of the
> 4-tuple are different; otherwise, the iss should increase by a small,
> but random amount for each connection.
  Only src host changes in my tests.

  My test do the following:
	- send TCP SYN to port X with real src ip
	- do this several time to get some idea how
	  far the increase is (approx of course)
	- send whole TCP connection handshake packets
	  with fake ip to dest host
	- do this N times withing a range of calculated
	  SEQ numbers

  Well, the point would be that you have not to send
all 2^32 possible SEQ numbers but only a small range.
Based on my calculation a range of 30000 packets would
do. Till know this is to much for me because my network
with 10Mbit/s is to slow to succeed - but it might work
on faster networks (such as 100BBaseT or FDDI).

Bye.
--
Joachim Baran                   jbaran@hildesheim.sgh-net.de
Breslauerstr.18              http://jbaran.users.sgh-net.de/
31171 Mahlerten                       Network Administration
Lower Saxony/Germany                         and Programming