In a recent interview, my friend was asked about firewalls’ TCP sequence number randomization feature. The interviewer mentioned that we know that a firewall randomizes the TCP sequence number, but an attacker in the middle can still sniff that packet on the wire and send it on behalf of the sender. So what does randomization bring to the table?
I have studied this attack against sequence numbers in RFC 6528 but haven’t been able to grasp the concept fully.
I would appreciate help in understanding this.
Best Answer
I have nothing against Overmind's answer, which is definitely a good summary of why sequence number randomisation was invented. But I'm not sure it answers the question as asked, so I will try to do so.
You are right. Nothing stops a privileged MITM from faking a TCP reset, with a valid SN, right now - randomised SNs or no. But a privileged MITM need not go to such lengths to disturb your connections through his network - he need only unplug a cable, or change a router ACL.
SN randomisation was designed to stop everyone else from doing the same thing. If your SNs can be guessed, anyone can forge that TCP reset, and desynchronise your connections. If they can't be guessed, access to the data stream is required.