TCP sequence prediction attack

A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection.

The attacker hopes to correctly guess the sequence number to be used by the sending host. If they can do this, they will be able to send counterfeit packets to the receiving host which will seem to it to originate from the sending host, even though the counterfeit packets may in fact originate from some third host controlled by the attacker.

If an attacker can cause delivery of counterfeit packets of this sort, he or she may be able to cause various sorts of mischief, including the injection into an existing TCP connection of data of the attacker's choosing, and the prematurely closure of an existing TCP connection by the injection of counterfeit packets with the FIN bit set.

Theoretically, other information such as timing differences or information from lower protocol layers could allow the receiving host to distinguish authentic TCP packets from the sending host and counterfeit TCP packets with the correct sequence number sent by the attacker.

If such other information is available to the receiving host, if the attacker cannot also fake that other information, and if the receiving host gathers and uses the information correctly, then the receiving host may be fairly immune to TCP sequence prediction attacks. Usually this is not the case, so the TCP sequence number is the primary means of protection of TCP traffic against these types of attack.

According to tech-faq.com: "an attempt to hijack an existing TCP session by injecting packets which pretend to come from one computer involved in the TCP session."

External links

* [http://portal.acm.org/citation.cfm?id=378444.378449 Security problems in the TCP/IP protocol suite] , April 1989, Steven M. Bellovin
* RFC 1948, Defending Against Sequence Number Attacks, May 1996, Steven M. Bellovin.
* http://www.tech-faq.com/tcp-sequence-prediction.shtml