DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Administering TCP/IP

Protecting against IP address spoofing attacks

A random element has been introduced into how TCP chooses the initial send sequence number and its increment. This feature helps protect system from IP address attacks (also known as ``IP spoofing''). You can use inconfig(ADMN) to seed the random number sequence by setting the value of the TCP/IP parameter, tcp_secret. The value of tcp_secret can be set to any integer from 0 through 2147483647.

Another parameter, tcp_seqbits, selects the number of bits of tcp_secret that are used to seed the sequence number increment value. The default value of tcp_seqbits is 21; its minimum and maximum values are 16 and 26. The default value represents a compromise between security and the uniqueness of the sequence number. If the value of tcp_seqbits is small, this increases the possibility that an attacker can guess the random number. A large value for tcp_seqbits decreases the time before a given sequence number occurs again. See ``Configuring TCP/IP tunable parameters'' for more information.


Next topic: Protecting against SYN flood attacks
Previous topic: Obtaining session credentials using ktadd and kinit

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003