TCP sequence prediction attack

TCP Sequence Prediction (TCP sequence prediction, and TCP sequence number prediction) refers to a method of attack in TCP / IP networks to the victim to fake a sender ( IP spoofing ), or existing connections to accept (TCP / IP hijacking ).

The TCP / IP protocol numbers all the data packets in order to reconstruct the data stream at the receiver back in the correct order, even if individual packets have different maturities or should be lost. The first sequence number is negotiated during connection setup and then counted independently of the communication partners; Packets with unexpected sequence numbers (that is, sequence numbers were already receiving or go beyond the available receive buffer would ) be discarded by the receiver.

To be able to spend for the receiver of a TCP / IP data stream as expected sender ( " spoofing " ) or even the connection to completely take over ( " hijacking " ) the attacker must first try, expected by the respective receiver sequence numbers to "guess so " and at the same time to ensure that its data packets arrive before those of the actual sender ( eg by the transmitter is simultaneously attacked with a denial of service attack). If this succeeds, the receiver will discard the packets of the actual sender ( since the corresponding sequence numbers have been already sent by the attacker to the recipient ). From this point, the packets of the attacker for the receiver seem to come from the expected sender.

If it is possible for the attacker additionally to block the actual transmitter so long that the mitgezählten of him sequence numbers of the receiver, it can differ by more than the buffer size from those of the recipient, the sender send forged packets and the way into the connection between two communication partners engage (TCP / IP hijacking ), since the sequence numbers are then both respectively outside the expected range.