The TCP/IP protocol suite has become the networking standard of the world, carrying
nearly all traffic on the Internet, and a large percentage of traffic on LANs as well. All
types of data traverse TCP connections, from the unimportant to the highly confidential.
While network layer protocols such as IPsec have been created to add encryption to
TCP/IP, they require special configuration and are not generally used except in VPN
configurations. The SSL protocol, which sits on top of TCP, has become much more
widespread. While SSL can ensure data confidentiality and integrity, it can not ensure
the availability of service if the TCP layer below it is disrupted.
If implemented according to the original standards, TCP connections can be easily
disrupted even by an attacker who is not monitoring the actual traffic of the connection.
These blind spoofing attacks are mostly a problem for long-lived connections, such as
BGP sessions between routers or SSH/SSL sessions used to remotely administer servers.
Tweaks to solve these blind spoofing attacks have been implemented in many operating
systems, but many fixes have the problem that they reduce interoperability with other
This paper demonstrates how interoperability has been harmed by certain TCP changes
and discusses better solutions to the problems at hand. The topics of TCP initial
sequence numbers, TCP timestamps, IP ID values, and ephemeral port randomization are
discussed. The majority of the paper is spent discussing TCP initial sequence numbers,
as they are the primary point of attack for blind spoofing. Points of interest include a
survey of the initial sequence number generation methods of some popular operating
systems, an improvement to RFC 1948, and a proposal for how to use TCP timestamps to
increase resistance to spoofing attacks.
speaker: Mike Silbersack
location: SITE H0104