HOME

TheInfoList



Click Here for Items Related To - TCP Sequence Prediction Attack
OR:
TCP Sequence Prediction Attack on:   [Wikipedia]   [Google]   [Amazon]

A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a
TCP connection TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication ...
, which can be used to counterfeit packets. The attacker hopes to correctly guess the sequence number to be used by the sending host. If they can do this, they will be able to send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may in fact originate from some third host controlled by the attacker. One possible way for this to occur is for the attacker to listen to the conversation occurring between the trusted hosts, and then to issue packets using the same source
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
. By monitoring the traffic before an attack is mounted, the malicious host can figure out the correct sequence number. After the IP address and the correct sequence number are known, it is basically a race between the attacker and the trusted host to get the correct packet sent. One common way for the attacker to send it first is to launch another attack on the trusted host, such as a
Denial-of-Service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...
. Once the attacker has control over the connection, they are able to send counterfeit packets without getting a response. If an attacker can cause delivery of counterfeit packets of this sort, they may be able to cause various sorts of mischief, including the injection into an existing TCP connection of data of the attacker's choosing, and the premature closure of an existing TCP connection by the injection of counterfeit packets with the RST bit set. (
TCP reset attack TCP reset attack, also known as a "forged TCP reset" or "spoofed TCP reset", is a way to terminate a TCP connection by sending a forged TCP reset packet. This tampering technique can be used by a firewall or abused by a malicious attacker to interr ...
) Theoretically, other information such as timing differences or information from lower protocol layers could allow the receiving host to distinguish authentic TCP packets from the sending host and counterfeit TCP packets with the correct sequence number sent by the attacker. If such other information is available to the receiving host, if the attacker can also fake that other information, and if the receiving host gathers and uses the information correctly, then the receiving host may be fairly immune to TCP sequence prediction attacks. Usually this is not the case, so the TCP sequence number is the primary means of protection of TCP traffic against these types of attack. Another solution to this type of attack is to configure any router or firewall to not allow packets to come in from an external source but with an internal IP address. Although this does not fix the attack, it will prevent the potential attacks from reaching their targets.


See also

*
SYN flood A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough ...
* Aircrack * BackTrack *
Nmap Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym ''Fyodor Vaskovich''). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap prov ...
* Packet sniffer *
Snort Snort may refer to: * Nose-blowing * Sniffle * Nasal administration, the inhaling of drugs through the nose * Snort (software), a package for intrusion detection * Snort, a map-coloring game * Insufflation, the act of blowing, breathing, hissing, ...
* Wireshark


References

{{Reflist, refs = {{cite web, title=TCP Sequence Prediction Attack, url=http://www.tech-faq.com/tcp-sequence-prediction-attack.html {{cite journal, last=Bellovin, first=S.M., title=Security Problems in the TCP/IP Protocol Suite, journal=ACM SIGCOMM Computer Communication Review, date=1 April 1989, url=http://portal.acm.org/citation.cfm?id=378444.378449, accessdate=6 May 2011


External links

* RFC 1948, Defending Against Sequence Number Attacks, May 1996, obsoleted by RFC 6528 Steven M. Bellovin. * RFC 6528, Defending against Sequence Number Attacks, February 2012 Standard Track Steven M. Bellovin
A Weakness in the 4.2BSD Unix TCP/IP Software
Sequence Prediction Attack Computer network security