TCP sequence number randomization needs to be disabled for some websites
Teleporter
Newbie ✭
I have customers who report that suddenly some websites (banks and one mobile network provider) are not accessible any more. If I switch the setting "enable TCP sequence number randomization" to off, the websites can be accessed again.
Can someone explain what could be the cause for this? There were reports in the newspaper that some banks have suffered DDoS attacks just about when I saw this issue for the first time, but that probably doesn't make any sense?
Category: Entry Level Firewalls
0
Answers
Obviously, we upgraded all those firewalls to the latest version recently.
Saw a similar issue recently with accessing Vodafone management portal. My guess this is some security feature in a WAF product somewhere. Bug or not? I am not sure.
Amusingly enough, this Sonicwall KB article implies that if other devices use sequence number randomisation, the Sonicwall might perceive it as a problem :)
https://www.sonicwall.com/support/knowledge-base/dropped-packets-because-of-invalid-tcp-flag/170504420448221
To expand on Arkwrights reply: Some implementations of firewalls will be more sensitive to things like sequence randomization.
While it's likely part of a published spec, not every manufacturer follows specs, and not every admin keeps firmware / OS / software up to date to meet said specs.
Vent: The internet is the wild west and many don't realize how lucky we all are that its so resilient to all the constant changes. Bless the makers.
This issue is related to the TCP Sequence Number Randomization feature, which helps prevent session hijacking by randomizing TCP sequence numbers.
Some websites, particularly banks and services with strict security policies, may not handle randomized sequence numbers correctly, leading to connection failures.