Defending against sequence-number prediction is fairly trivial, and good solutions, such as Steven M. Bellovin’s RFC1948[87] specification, have been available for a long time. However, preventing passive analysis of the numbers is quite difficult, because the problem results not only from the weakness of the algorithms, but also from the diversity of the algorithms used, which causes few systems to share the same ISN footprint. Even among systems that implement RFC1948 or that use other cryptograph-ically secure, external entropy-based generators, behavioral patterns may vary significantly, depending on the subtleties of the algorithm and the implementor’s assumptions as to the values that would be sufficient to thwart an attack.
A degree of prevention can be achieved by deploying a stateful packet firewall that rewrites all sequence numbers in outgoing packets[24]; this makes all systems within a protected network appear roughly the same. Unfortunately, only some offer this functionality, and only some can benefit from it.
[24] Solar Designer points out that, technically, this can also be implemented as a clever hack in a stateless firewall. The firewall may combine (through XOR, for example) the original sequence number with a secure hash of a secret key, combined with a quadruplet of addresses and ports that uniquely identify a connection. Returning packets could then have the hash removed (by subsequent XORing), making the packet match the internal host’s idea of the connection upon delivery, but existing only in an unpredictable, random 32-bit form while outside the firewall. This would work for all but the most broken (frequently repeating and collision-prone) ISN implementations.