ISN Abuse (cont)


One to four bytes per TCP connection.
More, potentially, with compression.
Very slow.
Need to transmit some data in connection to be less obvious:
Many half-opened connections is suspicious.
Adding legitimate-looking connection wastes time.

ISNs should be random:
Clustering and Repeating should raise eyebrows.

Works best on simple packet filters.