AnsweredAssumed Answered

TCP initial sequence number generation parameter

Question asked by David Avrahami on Dec 29, 2013

Hi,

 

According to Qualys VM scan report:

 

QID 105214, TCP_STRONG_ISS sets TCP initial sequence numbergeneration parameters. The initial sequence number is adding some randomizationin TCP connection. An attacker can easily inject a packet if the initialsequence number is known.

Solution:  Set the TCP_STRONG_ISS parameter to 2 to add randomization.

 

The current setup in Solaris 10 is as below:

 

# TCP_STRONG_ISS sets the TCP initial sequence numbergeneration parameters.

# Set TCP_STRONG_ISS to be:

#       0 = Old-fashionedsequential initial sequence number generation.

#       1 = Improvedsequential generation, with random variance in increment.

#       2 = RFC 1948sequence number generation, unique-per-connection-ID.

#

TCP_STRONG_ISS=1

 

 

 

Any risk to update this parameter to 2?

 

Thanks,

David

Outcomes