3.3 Enable Strong TCP Sequence Number Generation - TCP_STRONG_ISS = 2

Information

The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session.

The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this.

Solution

Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file:
# cd /etc/default
# awk '/TCP_STRONG_ISS=/ { $1 = "TCP_STRONG_ISS=2" }; { print }' inetinit > inetinit.CIS
# mv inetinit.CIS inetinit

To set the TCP_STRONG_ISS parameter on a running system, use the command:
# ipadm set-prop -p _strong_iss=2 tcp

See Also

https://workbench.cisecurity.org/files/612

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: 91e31d6c932d8316e6bb02ad46374e891829d62e4f13ec3da42e0746c41a8364