CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

TCP/IP Sequence Number Attacks, continued

Traditional BSD-derived implementations only change the 2nd byte of the sequence number every second, and each new connection changes it by 64. An attacker, having established a valid connection, is able to 'guess' the next number to be used.

A series of well known attacks exploit the non-randomness of the initial sequence numbers.

The attacker, C, establishes a valid connection with B, thus determining one of B's 'current' values for ISNb. The attacker, C, now impersonates A by sending a packet to B, but by setting A's NIC address in the Ethernet packet: 

  C(as A)->B : SYN, ISNc

B replies with 

  B->A : SYN, ISNb* , ACK(ISNc)

to the true machine A. C will probably not see this message B->A, but can guess the value of ISNb*. C now sends 

  C(as A)->B : ACK(ISNb*)

and B believes that it has a valid connection with A. A is confused as to why it received B->A, and may choose to ignore it, or inform B (with a RESET packet) that something is amiss.

If A chooses to ignore the packet B->A, then C can continue to send packets to B, assuming A's identity. If C can see all replies from B->A in the session, then C can fully masquerade as A, while A ignores the transmissions of which it is not a part.

CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p10, 15th May 2024.