What is the TCP sequence prediction attack?
The TCP protocol is a connection-oriented protocol. When two hosts communicate with each other using the TCP protocol, they first establish a connection between them. Then, the transfer of data packets begins. The sender sends a data packet, the receiver receives it and sends an acknowledgment. The sender gets the acknowledgment and transfers the next data packet.
When data packets are transferred over the TCP connection, each packet contains a sequence number. This sequence number helps in keeping track of data packets received and acknowledged.
Sometimes, attackers exploit this concept of sequence numbers of TCP packets and perpetrate attacks for malicious purposes. This type of attack is called the TCP sequence prediction attack.
The purpose of TCP sequence prediction attacks
Suppose two hosts A and B are communicating with each other using a TCP connection. An attacker can perpetrate the TCP sequence prediction attack to impersonate host B and inject a counterfeit data packet into host A. So, host A will think that the data packets are coming from trusted host B, though they are actually coming from the attacker. The attacker can even close the connection to host A prematurely or do other mischief to hide his own identity.
Why do attackers predict sequence numbers of TCP packets?
Suppose host A and host B are communicating with each other using a TCP connection. An attacker is listening to their communication. If the attacker wants to impersonate host B and send a counterfeit data packet to host A, he cannot simply send the packet to host A using host B’s identity. Each data packet has a sequence number that is checked in every packet transfer. So, the attacker has to predict that sequence number and include that in the counterfeit data packet as well. And, hence the attacker tries to predict the sequence number of the TCP packets.
How does the TCP sequence prediction attack work?
The attacker typically follows these steps to perpetrate the TCP sequence prediction attack.
- Suppose host A and host B are communicating with each other using a TCP connection. An attacker listens to the conversation and wants to impersonate host B and send counterfeit packets to host A.
- The attacker tracks the sequence number of each data packet. He predicts the sequence number that the counterfeit data packet should have and makes the packet.
- The attacker starts sending those packets to host A and spoofs the IP address of the victim host B.
- At this point, host B may send the actual packet to host A. That would create confusion for host A, as it will receive both packets.
- So, to avoid that, the attacker performs a DoS attack on host B at the same time. As a result, host B cannot send the intended data packets to host A. Thus, the attacker can easily impersonate host B.
- Now, the attacker can impersonate host B and introduce counterfeit data packets to host A, close the TCP connection prematurely, or do other mischief.
0 Comments