ISN Abuse (cont) One to four bytes per TCP connection. More, potentially, with compression. Very slow. Need to transmit some data in connection to be less obvious: Many half-opened connections is suspicious. Adding legitimate-looking connection wastes time. ISNs should be random: Clustering and Repeating should raise eyebrows. Works best on simple packet filters.
Copyright 2003, Bri Hatch of Onsight, Inc.
Presented at SecureWorld Expo, 2003.
Presentation created using vim and MagicPoint.