[bartc]

If your system security depends in any way on a randomly initialized TCP sequence number, you're asking for trouble.

It seems it would be preferable to use predictable values so people don't get the impression that random values are somehow more secure.

[WestCoastJustin]

Kevin Mitnick is rather famous for this type of attack [1]. These are dangerous attacks and we do depend on this working correctly. Phrack also has some interesting reading about spoofing attacks [2, 3].

[1] http://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attack

[2] http://phrack.org/issues/48/14.html

[3] http://phrack.org/issues/53/6.html

[0x0]

Spoofed TCP connections can be annoying even if they don't actually breach the security of a system?

[mnw21cam]

Spoofed TCP disconnections can be annoying too.

[ajross]

Denial of service is a legitimate "security" concern in most contexts. No, this isn't shellshock, but it's worth fixing.

[peterwwillis]

Many, many, many systems (like CDNs, or high-profile financial firms) depend mostly on IP whitelisting for their public-facing origin security. Whenever there's "partners" or "3rd parties" that need access to some service but they want to generally keep people from the internet off it, they just get lazy and IP whitelist instead of creating a VPN like they should. There's probably tens of thousands of organizations with setups like this.

[Xylakant]

Depending on the required level of security, that is probably fine. Protecting the origin server of a CDN via IP whitelisting is fine, if the content is publicly available via the CDN anyways and you treat that as a "we don't want everyone to use the origin, please use the CDN"-level of security. Using whitelisting to really keep people off the origin, however is probably not.

[nwh]

For something like CloudFlare which in itself is designed to be a security filter as well as a CDN, having people able to touch the origin server (if they can find it) would be highly undesirable.

[tedunangst]

Random TCP ISN is about all the security that the cheap CAs require before signing a certificate.