TCP sequence prediction attack
A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets.[1]
This article is part of a series on |
Computer hacking |
---|
History |
Hacker culture & ethic |
Conferences |
Computer crime |
Hacking tools |
Practice sites |
Malware |
Computer security |
Groups |
|
Publications |
The attacker hopes to correctly guess the sequence number to be used by the sending host. If they can do this, they will be able to send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may in fact originate from some third host controlled by the attacker. One possible way for this to occur is for the attacker to listen to the conversation occurring between the trusted hosts, and then to issue packets using the same source IP address. By monitoring the traffic before an attack is mounted, the malicious host can figure out the correct sequence number. After the IP address and the correct sequence number are known, it is basically a race between the attacker and the trusted host to get the correct packet sent. One common way for the attacker to send it first is to launch another attack on the trusted host, such as a Denial-of-Service attack. Once the attacker has control over the connection, it is able to send counterfeit packets without getting a response.[2]
If an attacker can cause delivery of counterfeit packets of this sort, he or she may be able to cause various sorts of mischief, including the injection into an existing TCP connection of data of the attacker's choosing, and the premature closure of an existing TCP connection by the injection of counterfeit packets with the RST bit set.
Theoretically, other information such as timing differences or information from lower protocol layers could allow the receiving host to distinguish authentic TCP packets from the sending host and counterfeit TCP packets with the correct sequence number sent by the attacker. If such other information is available to the receiving host, if the attacker can also fake that other information, and if the receiving host gathers and uses the information correctly, then the receiving host may be fairly immune to TCP sequence prediction attacks. Usually this is not the case, so the TCP sequence number is the primary means of protection of TCP traffic against these types of attack.
Another solution to this type of attack is to configure any router or firewall to not allow packets to come in from an external source but with an internal IP address. Although this does not fix the attack, it will prevent the potential attacks from reaching their targets.[2]
See also
- Aircrack
- AirSnort
- BackTrack
- Denial-of-service attack
- Nmap
- Packet sniffer
- Snort
- SYN flood
- Wireshark
References
- Bellovin, S.M. (1 April 1989). "Security Problems in the TCP/IP Protocol Suite". ACM SIGCOMM Computer Communication Review. Retrieved 6 May 2011.
- "TCP Sequence Prediction Attack".
External links
- RFC 1948, Defending Against Sequence Number Attacks, May 1996, obsoleted by RFC 6528 Steven M. Bellovin.
- RFC 6528, Defending against Sequence Number Attacks, February 2012 Standard Track Steven M. Bellovin
- A Weakness in the 4.2BSD Unix TCP/IP Software