[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 20: ISN Abuse (cont)

Page 20

  
  ISN Abuse (cont)
  One to four bytes per TCP connection.
  More, potentially, with compression.
  Very slow.
  Need to transmit some data in connection to be less obvious:
  Many half-opened connections is suspicious.
  Adding legitimate-looking connection wastes time.
  ISNs should be random:
  Clustering and Repeating should raise eyebrows.
  Works best on simple packet filters.

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SecureWorld Expo, 2003.

Presentation created using vim and MagicPoint.