Microsoft have now confirmed the problem: ----------------------------------------- From: Sunil Gopal To: Roy Hills <[EMAIL PROTECTED]> Subject: RE: NT 4.0 SP4 predictable initial TCP sequence numbers Date: Tue, 24 Aug 1999 04:20:56 -0700 Hi Roy, Sorry about the silence... Though the TCP sequence generation pattern changes made to TCPIP.SYS for SP4 are an improvement, I have been informed that this has been resolved in Windows 2000 and will be "back ported" to NT 4.0 in a future SP release. The issue remains open and is being worked on.... We are trying to get escalate this further and get it into the HOTFIX schedule and hope to make it available to xxx ASAP. Hope this helps... Thanks and Regards, Sunil Gopal, MCSE Technical Specialist/Systems Engineer mailto:[EMAIL PROTECTED] "Enable people to do anything they want, anytime they want, anywhere they want, on any device." ____________________________________________________________________________ _________________ -----Original Message----- From: Roy Hills [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 24, 1999 12:54 PM To: Sunil Gopal Subject: NT 4.0 SP4 predictable initial TCP sequence numbers Folks, I've not heard back from Microsoft yet regarding the new predictable initial TCP sequence pattern in NT 4.0 SP4, so I've done some more research on the testbench to gain a better understanding of what's going on. It looks like the differences between initial TCP sequence numbers is always between 0 and 14 and is always an even number - i.e. 0,2,4,8,10,12 or 14. >From a sample of 5,000 initial sequence numbers - i.e. 4,999 difference pairs - I get the following distribution: Sequence Number Difference of occurrences -------------- --------------------- 0 648 2 584 4 608 6 660 8 602 10 666 12 641 14 590 I've also tested systems at different rates from one connection every 20ms to one connection per second, and the pattern remains the same. So it's not time-related like the old SP3 behaviour. I'm going to post my finding to a couple of security mailing lists to share this information with the security community. Obviously I won't mention any names! I'll send you a copy of my posting to keep you informed of progress. Regards, Roy Hills NTA Monitor Ltd -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 6 Beaufort Court, Medway City Estate, Email: [EMAIL PROTECTED] Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/