AnsweredAssumed Answered

TCP initial sequence number generation parameter

Question asked by David Avrahami on Dec 29, 2013



According to Qualys VM scan report:


QID 105214, TCP_STRONG_ISS sets TCP initial sequence numbergeneration parameters. The initial sequence number is adding some randomizationin TCP connection. An attacker can easily inject a packet if the initialsequence number is known.

Solution:  Set the TCP_STRONG_ISS parameter to 2 to add randomization.


The current setup in Solaris 10 is as below:


# TCP_STRONG_ISS sets the TCP initial sequence numbergeneration parameters.

# Set TCP_STRONG_ISS to be:

#       0 = Old-fashionedsequential initial sequence number generation.

#       1 = Improvedsequential generation, with random variance in increment.

#       2 = RFC 1948sequence number generation, unique-per-connection-ID.






Any risk to update this parameter to 2?