On Tue, 20 Apr 2004, tad pedley wrote: > Although denial of service using crafted TCP packets is a well known > weakness of TCP, until recently it was believed that a successful > denial of service attack was not achievable in practice. The reason > for this is that the receiving TCP implementation checks the > sequence number of the RST or SYN packet, which is a 32 bit number, > giving a probability of 1/232 of guessing the sequence number > correctly (assuming a random distribution). > > The discoverer of the practicability of the RST attack was Paul A. > Watson, who describes his research in his paper �Slipping In The > Window: TCP Reset Attacks�, presented at the CanSecWest 2004 > conference. He noticed that the probability of guessing an > acceptable sequence number is much higher than 1/232 because the > receiving TCP implementation will accept any sequence number in a > certain range (or �window�) of the expected sequence number. The > window makes TCP reset attacks practicable.
Believed by whom, is the question. It has been clearly documented for a long time now that such larger windows exist. They have even been documented specifically about BGP (draft-ietf-idr-bgp-vuln-00.txt). -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
