Information
The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session.
Rationale:
The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this.
Solution
Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file:
# cd /etc/default
# awk '/TCP_STRONG_ISS=/ { $1 = 'TCP_STRONG_ISS=2' }; { print }' inetinit > inetinit.CIS
# mv inetinit.CIS inetinit
To set the TCP_STRONG_ISS parameter on a running system, run the following command:
# ipadm set-prop -p _strong_iss=2 tcp