On Tue, 20 Apr 2004, tad pedley wrote:
Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution).
The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper Slipping In The Window: TCP Reset Attacks, presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or window) of the expected sequence number. The window makes TCP reset attacks practicable.
Believed by whom, is the question. It has been clearly documented for a long time now that such larger windows exist. They have even been documented specifically about BGP (draft-ietf-idr-bgp-vuln-00.txt). -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings