If a packet arrives at host A with B’s source address, it could just as easily have been forged by any third host C. If, however, A accepts a TCP connection from B, then during the three-way handshake, A sent ISNA to B’s address and received an acknowledgment of it. If C is not located so as to be able to eavesdrop on ISNA, then it might seem that C could not have forged B’s response.

However, the algorithm for choosing ISNA does give other unrelated hosts a fair chance of guessing it. Specifically, A selects ISNA based on a clock value at the time of connection. Request for Comments 793 specifies that this clock value be incremented every 4 µs; common Berkeley implementations once simplified this to incrementing by 250,000 (or 256,000) once per second.

(a) Given this simplified increment-once-per-second implementation, explain how an arbitrary host C could masquerade as B in at least the opening of a TCP connection. You may assume that B does not respond to SYN + ACK packets A is tricked into sending to it.

(b) Assuming real RTTs can be estimated to within 40 ms, about how many tries would you expect it to take to implement the strategy of part

(a) with the unsimplified “increment every 4 µs” TCP implementation?