Home › Forums › Discussions › Support Portal › Randomizing tcp initial sequence numbers, and IP id field › Re: randomizing tcp sequence numbers and the IP id field
Thanks krisleech, the randomization you are talking about is a little further than even I was looking for. We just want to randomize the initial sequence numbers, not all the sequence numbers. Let me give you some stats from our research to show you what we a looking for. The following is 2 lists of initial sequence numbers seen by a target destination. The first is a list of ISNs (initial sequence numbers) seen from a normal Microsoft windows 2000 host directly connected. Note there is some randomizaiton. The second is with a PIX 525 inline between the source (2 windows 2000 hosts) and the destination (the same target host). The PIX greatly improved the randomization of the ISNs. These should highlight the differences and level of randomization we would like to see:
1.BASELINE (no firewall involved, just Microsoft’s native randomizing)
15. PIX firewall – future reference ethereal capture c:temppix2.txt
FIREWALL INSIDE INTERFACE SAW: 245852646 (from comp1)
246488339 (from comp1)
247409802 (from comp1)
247997942 (from comp1)
248683549 (from comp1)
DESTINATION SAW the following ISNs in order, for the above packets:
– no comparison right? The PIX, in it’s state table, runs its own list of sequence numbers which allows it to greatly improve randomization. That is what we are looking for using Winpkfilter. Well that, and the randomization of the IP id field, which is simple compared to ISNs.
Does anyone have a copy of a program in which they have manipulated tcp/ip fields that works, that we could get a copy of? Thank you.