ISN Abuse (cont)
  One to four bytes per TCP connection.
  More, potentially, with compression.
  Very slow.
  Need to transmit some data in connection to be less obvious:
  Many half-opened connections is suspicious.
  Adding legitimate-looking connection wastes time.
  ISNs should be random:
  Clustering and Repeating should raise eyebrows.
  Works best on simple packet filters.

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SecureWorld Expo, 2003.

Presentation created using vim and MagicPoint.