Networking Guide
Chapter 3, Administering TCP/IP
Protecting against IP address spoofing attacks

Protecting against IP address spoofing attacks

A random element has been introduced into how TCP chooses the initial send sequence number and its increment. This feature helps protect system from IP address attacks (also known as ``IP spoofing''). You can use inconfig(ADMN) to seed the random number sequence by setting the value of the TCP/IP parameter, tcp_secret. The value of tcp_secret can be set to any integer from 0 through 2147483647.

Another parameter, tcp_seqbits, selects the number of bits of tcp_secret that are used to seed the sequence number increment value. The default value of tcp_seqbits is 21; its minimum and maximum values are 16 and 26. The default value represents a compromise between security and the uniqueness of the sequence number. If the value of tcp_seqbits is small, this increases the possibility that an attacker can guess the random number. A large value for tcp_seqbits decreases the time before a given sequence number occurs again. See Appendix C, ``Configuring TCP/IP tunable parameters'' in the Performance Guide for more information.