Statistical (Birthday?) attack against TCP ISNs?

["Granquist, Lamont" <lamont () SCRIPTKIDDIE ORG>]

Here's a thought on how to attack TCP ISNs irregardless of the strength of
the PRNG being used:

1.  fill the listen() backlog of 32768 connections completely with
    connections that have the same ISN (SYN flooding with the same
    ISN)

2.  keep guessing reply ISNs and sending ACKs until statistically you
    succeed

The success of this would come after 2^32 / 2^15 = 2^17 (131,072) guesses
of ACK packets.  You'd need to make sure the listen() backlog was kept
full during this whole time.

Problems:

1.  I'm not sure what happens when you SYN flood with packets that
    have the same ISN -- you may not generate 32768 table entries.

2.  Do you even need to worry about the ISN that you sent in the SYN
    packet?  I can't remember if we need to remember this or not, its been
    a year or two since I've torn apart TCP connections at this level...

3.  SYN cookies?

4.  Anything that can take entries out of the listen() queue.

I need hit Stevens a bit more to refresh my memory and answer these
questions, but I thought I'd throw this out there.

(And obviously this is all inspired by trying to figure out what Newsham's
attack against TCP ISNs is...)

I rolled up a little bit of perl to monte carlo simulate this and confirm
that it would take about 2^17 tries to succeed.  I haven't actually tried
this against a target TCP/IP stack though...