TCP sequence prediction

from Wikipedia, the free encyclopedia

TCP Sequence Prediction (TCP sequence number prediction ) describes a method of attack in IP networks in order to simulate another sender ( IP spoofing ) or to take over existing connections ( TCP / IP hijacking ).

The TCP protocol uses the sequence number to indicate the bytes to be sent. The sequence number is accordingly continuously increased by the number of bytes sent. A receiver is thus able to present a data stream to the application in an orderly manner even if some packets, B. should arrive out of the original order or be lost due to different transit times. The first sequence number is negotiated when the connection is established ( three-way handshake ) and then automatically counted by the communication partners; Packets with unexpected sequence numbers (i.e. sequence numbers that have already been received or that would exceed the available receive buffer) are discarded by the receiver.

In order to be able to pretend to be the expected sender for the recipient of a TCP data stream (" spoofing ") or even to take over the connection completely (" hijacking "), the attacker must first try to "guess" the sequence numbers expected by the respective recipient. and at the same time ensuring that its data packets arrive before those of the actual sender (e.g. by attacking the sender with a denial-of-service attack at the same time ). If this succeeds, the recipient then discards the packets from the actual sender (since the attacker has already sent the corresponding sequence numbers to the recipient). From this point on, the attacker's packets seem to come from the expected sender for the recipient.

If the attacker also succeeds in blocking the actual sender for so long that the sequence numbers of the recipient counted by him differ from those of the recipient by more than the buffer size, he can also send the sender fake packets and thus join the connection between the Connect both communication partners ( TCP / IP hijacking ), since the sequence numbers for both are then outside the expected range.

Web links